HM TREASURY 



Government 

Internal 

Audit 

Manual 





LONDON HERMAJESTY’S STATIONERY OFFICE 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Introduction 



The Government Internal Audit Manual is issued by 
the Treasury to provide direction, advice and infor- 
mation on internal audit to government departments 
and non-departmental public bodies. 

GIAM consolidates and brings up to date existing 
guidance and supports the development of internal 
audit in government. 

The manual is divided into the following sections: 



A OBJECTIVES 
B STANDARDS 
C PRACTICE 
D DIGEST 

The Computer Audit Guidelines of the Chartered 
Institute of Public Finance and Accountancy have 
been adopted as a companion volume to GIAM and 
are available through HMSO. 

The front page of each section notes its contents. 

H M Treasury 

December 1983 



GIAM 12/83 (amended) 



Printed image digitised by the University of Southampton Library Digitisation Unit 



A 



OBJECTIVES 



Internal audit is an independent appraisal within a 
department which operates as a service to manage- 
ment by measuring and evaluating the effectiveness 
of the internal control system 



Role 

Organisation 

Responsibility 

Approach 

Standards 



OI AM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



A 



Role 

1 Internal audit is an independent appraisal within a department which 
operates as a service to management by measuring and evaluating the 
effectiveness of the internal control system. Thus it is concerned with a 
department’s efficiency, effectiveness and economy. 

2 An internal audit unit should be established with responsibility for 
giving assurance to the Accounting Officer on the department’s internal 
control system. It also assists managers by measuring, evaluating and 
reporting on the elements of the internal control system for which they 
are responsible. 

3 The internal control system comprises the whole system of controls, 
financial and otherwise, established by management in order to carry on 
business in an orderly and efficient manner, ensure adherence to manage- 
ment policies and directives, safeguard assets and secure as far as possible 
the completeness and accuracy of records. 

4 Internal audit is not an extension of or a substitute for line management. 
Responsibility for internal control rests fully with line managers who 
ensure that appropriate and adequate arrangements exist without regard 
to audit activity. It is for management to decide whether or not to accept 
and implement audit findings and recommendations. 



Organisation 

5 In his memorandum of responsibilities an Accounting Officer is charged 
with paying particular attention to the adequacy and effectiveness of his 
arrangements for internal audit. 

6 The organisation of an internal audit unit will vary according to the 
size and complexity of departments. Whatever structure is determined a 
Head of Internal Audit will need to be appointed, who should be suitably 
experienced, of appropriate grade, and preferably professionally qualified. 
He should normally be responsible directly to the department’s Principal 
Finance Officer but have the right of direct access to the Accounting 
Officer. 

7 The Accounting Officer should specify terms of reference which will 
enable the Head of Internal Audit to give him the quality of assurance he 
requires. 

8 The internal audit unit should not have responsibility for executive 
functions nor for the development or implementation of systems. Subject 
to limitations arising from the need for objectivity, internal audit may be 
regarded as a source of advice on systems of control and related matters. 

OIAM i/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



A 



Responsibility 

9 The precise responsibility of the internal audit unit will be determined 

by a department’s Accounting Officer, or the permanent head where there 

is more than one Accounting Officer, having regard to Treasury advice. 

Its principal objectives should be: 

(a) to review and appraise the soundness, adequacy and application of 
accounting, financial and other controls 

(b) to ascertain the extent of compliance with established policies and 
procedures 

(c) to ascertain the extent to which the department’s assets and interests 
are properly controlled and safeguarded from losses of all kinds 

(d) to ascertain that the accounting and other data developed within the 
department is reliable as a basis for the production of the appropri- 
ation, White Paper and other accounts 

(e) to ascertain the integrity and reliability of financial and other data 
provided to management including that in connection with the decision- 
making process. 



Approach 

10 In achieving its objectives an internal audit unit should: 

(a) identify all elements of the department’s internal control system and 
establish a review cycle 

(b) evaluate systems, identify inadequate controls and recommend 
improvements in procedures and practices 

(c) ascertain that systems of control are laid down and operate to achieve 
the most effective, efficient and economic use of resources 

(d) draw attention to any apparently uneconomical or otherwise unsatisfac- 
tory result flowing from a decision or long established practice or 
policy. 

11 Audit reports are normally sent to the responsible managers asking 
them to indicate within a specified time what action they are taking. The 
Head of Internal Audit should draw the attention of the Principal Finance 
Officer and in due course, where appropriate, the Accounting Officer to 
significant recommendations which have not received adequate attention. 



Standards 

12 The operation and conduct of the internal audit unit should be ordered 
by the standards contained in Section B. 

GIAM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



B 



STANDARDS 



The Treasury internal audit standards represent 
good practice, and indicate criteria by which the 
operation of internal audit should be measured and 
evaluated. They apply to all internal audit units 
and internal auditors in government departments and 
non-departmental public bodies. 

They may be modified from time to time as internal 
auditing adapts to change. 



B1 Scope 

B2 Independence 

B3 Staffing and Training 

B4 Due professional care 

B5 Planning, Controlling, Recording 

B6 Audit evidence 

B7 Reporting 

B8 Fraud and irregularity 

B9 Relationships 



GIAM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



B1 



Scope 



Internal audit should embrace all the operations, 
staff and services of a department including funded 
bodies. 



Introduction 
Terms of reference 
Non-departmental public bodies 
Policy matters 

Consultation on systems and controls 
Inter-departmental systems 
Special reviews 
Executive responsibilities 



OIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B1 



Introduction 

1 The Standard indicates the range of internal audit recommended by the 
Treasury. The Head of Internal Audit should ensure that his Accounting 
Officer is aware of the activities which should be included within the field 
of audit activity to accord with Standard (see B5.7). 

2 In the light of this it is the responsibility of the Accounting Officer, 
or Chief Officer of a grant receiving body, to determine the scope of his 
internal audit unit. In a department where there is more than one 
Accounting Officer the decision should be made by its permanent head. 

3 Major factors to be considered in determining the range of audit 
activity are the risk to which an Accounting Officer may be exposed, and 
the quality of assurance he wishes to have. Both affect the resources to 
be allocated to internal audit (see B5.10). 

Terms of reference 

4 An internal audit unit should have terms of reference. These should 
be formally agreed between the Accounting Officer and the Head of 
Internal Audit and approved by the Treasury (see B2.6). 

5 The terms of reference for internal audit should be formulated so that 
the Head of Internal Audit is able to give his Accounting Officer the 
desired quality of assurance on the adequacy, reliability and efficiency of 
the department’s internal control system. This should include the depart- 
ment’s controls relating to bodies funded by it. (see B1.7). 

6 The range of internal audit activity should therefore cover the whole 
system of controls, financial, management and otherwise, established to: 

(a) effect the department’s business in an orderly and efficient manner 

(b) ensure adherence to management policies and directives 

(c) safeguard assets 

(d) secure as far as possible the completeness and accuracy of records 

(e) prevent waste 

N on-departmental public bodies 

7 The Head of Internal Audit may wish to conduct reviews in bodies 
funded by his Accounting Officer in order to assess the effectiveness of 
the department’s internal control system (see B1.5). Rights of access should 
therefore be set out in Conditions of Grant. 

8 Bodies funded by departments should be encouraged to have internal 
audit as part of their own internal control arrangements (see Appendix 3 

OIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B1 



of ‘Non-Departmental Public Bodies: A Guide for Departments’). This 
may not be possible or cost effective and a body may request the 
Accounting Officer of its sponsoring department to provide an internal 
audit service. In such circumstances the department’s Accounting Officer 
should have regard to possible conflicts of interest which might be caused 
by the dual reporting responsibilities of his Head of Internal Audit. 
Implications regarding the sufficiency of internal audit resources should 
also be assessed. 

Policy matters 

9 The internal audit unit should draw attention to any apparently 
uneconomical or otherwise unsatisfactory result flowing from a decision 
or long established practice or policy. 

Consultation on systems and controls 

10 An internal audit unit should be informed and consulted about 
significant changes in a department’s internal control system. It is advisable 
that audit opinion is given at an early stage and on a continuing basis 
where major or complex systems are involved, (see B2.14-15). 

Inter-departmental systems 

11 Some systems are used by more than one department and a department 
may be responsible for identifiable components of a system, use data 
produced by another’s system, or carry out functions on behalf of others. 
The Head of Internal Audit should satisfy himself that the responsibilities 
for such systems have been identified and agreed, and that the internal 
controls and internal audit arrangements adequately protect his Accounting 
Officer (see B4. 13-18). 

Special reviews 

12 An internal audit unit may carry out special reviews or assignments 
on its own initiative or as requested by senior management. Where requests 
by management fall outside the planned work of the unit they should be 
authorised only by the Head of Internal Audit. 

Executive responsibilities 

13 Internal Audit is not an extension of or substitute for the functions 
of line management. Responsibility for internal control rests fully with 
line managers who should ensure that appropriate and adequate arrange- 
ments exist without regard to internal audit activity. 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



14 An internal audit unit should have no executive responsibilities (see 
B2.12). It is for management to decide whether or not to accept and 
implement internal audit findings and recommendations (see B7. 12-16). 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Independence 



Internal Audit must be sufficiently independent to 
enable auditors to perform their duties in a manner 
which will allow professional judgements and 
recommendations to be effective and impartial. 
Internal Audit should be a separate entity. 



Introduction 

Status 

Objectivity 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B2 



Introduction 

1 Independence is fundamental to the effectiveness of an internal audit 
unit, which is independent when it operates freely within the terms of 
reference determined by the department’s Accounting Officer. For the 
individual auditor, independence is essentially an attitude of mind charac- 
terised by integrity and an objective approach to work. 

2 An internal audit unit achieves independence through its status in a 
department and the objectivity of its staff. 



Status 

3 Internal audit takes its authority and terms of reference from the 
Accounting Officer to whom the Head of Internal Audit should have right 
of direct access. The Head of Internal Audit should normally be responsible 
directly to the department’s Principal Finance Officer. 

4 The Accounting Officer should appoint the Head of Internal Audit, 
subject to the approval of the Treasury (see B3.14). 

5 An internal audit unit should be a separate entity, independent of staff 
directly responsible for operations. 

6 The terms of reference of an internal audit unit should: 

(a) indicate the objectives of internal audit and its status within the 
department 

(b) define the scope of internal audit activity (see B 1.4-6). 

7 The Head of Internal Audit should submit to the Accounting Officer 
annually or more frequently as necessary: 

(a) an audit plan, covering periods determined by the Accounting Officer, 
for approval (see B5.12) 

(b) explanation of significant variations from previously approved plans 

(c) reports of significant audit findings, opinions or recommendations, 
indicating the scope of work performed and any limitations placed on 
audit. 

8 Subject to his terms of reference and the approved audit plan the Head 
of Internal Audit should personally, or as delegated by him: 

(a) determine audit priorities, work plans, staff allocation and other 
operational arrangements 

(b) select his staff in consultation with personnel management divisions 

(c) issue audit reports on any aspect of the department’s activities. 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B2 



9 An internal audit unit should have access to all records, assets, 
personnel and premises and be authorised to obtain such information and 
explanations as it considers necessary to fulfil its responsibilities. 

Objectivity 

10 Objectivity is an independent mental attitude which internal auditors 
should maintain in performing audits. They should not allow their judge- 
ment on audit matters to be affected by external factors. 

11 Objectivity requires internal auditors to carry out audits in such a 
way that they are not required to compromise the quality of their work 
or their honest belief in the results of that work. Internal auditors should 
not be placed in situations in which they feel unable to make objective 
professional judgements. 

12 Internal auditors should not have operational responsibilities outside 
audit. If internal auditors perform non-audit work it should be understood 
that they are working separately from the internal audit unit (see B1 .12-14). 

13 Objectivity is presumed to be impaired when internal auditors review 
any activity for which they had (or have) authority or responsibility. 
Officers transferred to or temporarily engaged in an internal audit unit 
should not audit activities they previously performed until a reasonable 
period of time has elapsed. 

14 An auditor’s objectivity may be compromised by any involvement in 
the design of systems which he may subsequently audit. This should not, 
in itself, prevent internal audit from giving advice, although where possible 
subsequent audits should be staffed by officers not involved at the design 
stage (see B1.10). 

15 Any recommendations on controls to be incorporated in systems and 
procedures whilst still under development should be made without prejudice 
to the audit unit’s right to review and appraise subsequently. 

16 Internal auditors should inform the Head of Internal Audit of any 
situations in which a conflict of interest or bias is present or may reasonably 
be inferred. If necessary they should be reassigned. Work assignments of 
internal auditors should be rotated from time to time where possible. 

17 Any possibility of impairment to objectivity should be considered by 
audit management when reviewing audit findings (see B7.7). 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 



Staffing and Training 



Internal audit should be appropriately staffed in 
terms of numbers, grades and experience, having 
regard to its objectives and standards. Internal 
auditors must be properly trained to fulfil their 
responsibilities. 



Introduction 

STAFFING 

Range of skills 

Personal attributes 

Grading 

Structure 

Trainees 

Specialists 

Probation 

Head of Internal Audit 

Job specifications 

Career planning and management 



TRAINING 

Scope 

Application 

Co-ordination and review 

Basic audit training standard: Appendix 1 
Computer audit training standard: Appendix 2 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 



Introduction 

1 The effectiveness of an internal audit unit depends substantially on the 
quality, training and experience of its staff. Only those with appropriate 
background, personal qualities and potential should be selected as internal 
auditors. Thereafter steps should be taken to give them the necessary 
training and experience. 

2 Internal audits should be performed by, or under the control of, 
auditors who have the technical skills, experience and perspective which 
will enable them to comply with these Standards. 

3 The Head of Internal Audit should ensure that his staff, collectively, 
have the capacity to enable him to satisfy and exercise his responsibilities. 

STAFFING 
Range of skills 

4 An internal audit unit should comprise personnel with varying types 
and levels of skills, qualifications and experience to ensure that the needs 
of each audit task are matched by appropriate staff. 

Personal attributes 

5 An internal auditor requires initiative and a mature and reasoned 
outlook. He should be capable of following investigations through to their 
logical conclusion by a persistent but tactful approach. He needs to be 
able to gain the respect and co-operation of those whose work he is 
auditing. 

6 Internal auditors should be able to understand and appraise systems 
and controls quickly, make sound judgements, write cogent reports and 
argue their conclusions to senior levels if necessary. 

7 Internal auditors should be able to apply internal audit methods, 
procedures and techniques in situations they are likely to encounter without 
extensive recourse to technical research or assistance. Specialist internal 
auditors must additionally be proficient in applying their special skills. 

8 Ideally, internal auditors should have first hand understanding of the 
department in which they are operating. Experience in other departments 
and organisations is also valuable in recognising and evaluating local 
practices which may be in need of improvement. 

Grading 

9 The grading of internal audit posts should reflect job content. The 
Treasury will issue general guidance as appropriate. 

G1AM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Structure 



10 The staffing structure of an audit unit should reflect its terms of 
reference and will vary according to the size and complexity of the 
department. 

Trainees 

11 First posting into internal audit should normally be at trainee or 
executive officer level. A first posting should normally be of not less than 
five years in an audit unit, a trainee becoming equipped to work as an 
internal auditor after two to three years, on satisfactory completion of 
basic audit training. 

Specialists 

12 The capacity of an internal audit unit is improved by the recruitment 
of specialist staff, particularly in departments which are concerned with 
work of a technical nature. The effectiveness of specialists will be limited 
until they complete appropriate internal audit training. 

Probation 

13 First postings to internal audit should be probationary for six to 
twelve months. A decision not to confirm a posting should not necessarily 
be regarded as indicating a ‘failed’ marking, only an unsuitability for 
audit work. 

Head of Internal Audit 

14 The Head of Internal Audit should have wide experience of internal 
audit and internal audit management, and preferably be professionally 
qualified (see B2.3-4). 



Job specifications 

15 In conjunction with the Principal Establishment Officer, the Head of 
Internal Audit should ensure that job specifications are maintained for all 
posts within the audit unit including his own. 

Career planning and management 

16 Officers with internal audit training and experience should be posted 
into and out of an internal audit unit at various stages of their careers 
but internal audit should not normally be regarded as a total career. 

GIAM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 



TRAINING 

17 The Treasury will from time to time prescribe detailed training 
standards. The Head of Internal Audit, with the advice of the Principal 
Establishment Officer and the Departmental Training Officer, should 
ensure that each internal auditor receives the training required by his duties 
and responsibilities. 

Scope 

18 Training should be a planned and continuing process at all levels, 
and cover: 

(a) basic training providing the knowledge which all internal auditors in 
government should possess 

(b) development training in general audit skills, techniques and behavioural 
aspects, to improve the effectiveness of those currently employed as 
internal auditors 

(c) management training for auditors who have the potential to manage 
and direct an audit team, and for existing managers 

(d) specialist training for those auditors responsible for a particular 
activity, such as a computer auditing, which requires special skill or 
knowledge. 

19 Other forms of training should be considered in order to meet short- 
term needs or other special requirements. These may include attachments 
to and from other organisations or audit units. 

20 Internal auditors are responsible for continuing their education in 
order to maintain their proficiency. They should keep themselves informed 
about improvements and current developments in internal auditing. 

Application 

21 Training should be tailored to the needs of the individual and include 
practical application of theoretical knowledge under the supervision of 
competent and experienced internal auditors. 

22 Training should be firmly linked with the audit planning process. 
Account should be taken of: 

(a) objectives and priorities established in the planning process 

(b) the type of audit work to which an individual is allocated 

(c) an auditor’s previous training, experience and qualifications 

(d) the development of the individual in the light of the future needs of 
both the internal audit unit and the department. 

OIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 



Co-ordination and review 

23 Training requirements should be co-ordinated and subject to continu- 
ing and at least annual review. Records of training plans and achievements 
should be maintained. 

24 In large audit units the Head of Internal Audit should delegate the 
planning, supervision and co-ordination of training arrangements to a 
designated training officer. 



GI AM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 

Appendix 1 



Basic Audit Training Standard 



This standard is primarily for new entrants to 
internal audit at the trainee or assistant auditor level 
(normally executive officers). It sets out the body of 
knowledge which internal auditors in government 
are expected to possess. 

The standard includes subjects in which trainees 
may already have a sufficient grounding, such as 
principles of accounts, government finance, 
costing, management or computing. Such experi- 
ence or knowledge would entitle trainees to 
exemptions on a subject for subject basis. 

The full training programme should last about two 
years and contain the following modules: 

Basic accountancy and government finance 

Internal control 

Management 

Principles and practice of internal auditing 
Audit techniques 

Basic computing and computer auditing 



GIAM 1/83 



Issued under DAO 17/82 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 

Appendix 1 



1 Basic accountancy and government finance 

(a) An understanding of government financial 
organisation and accounting systems embracing PES, 
parliamentary control, vote and estimates systems, 
cash limits, public accountability, the role of E&AD, 
PAG and Select Committees, appropriation and 
other accounts. 

(b) A grounding in basic principles of accounts 
including books of account and subsidiary books, 
trading and profit and loss accounts, balance sheets, 
income and expenditure accounts, receipts and pay- 
ments accounts. 

(c) An understanding of costing including the 
behaviour of costs and basic costing techniques. 

(d) An appreciation of financial management includ- 
ing financial aspects of decision taking in the public 
sector. 

2 Internal control 

(a) A working knowledge and understanding of 
internal control and its relationship to other aspects 
of management. 

(b) An understanding of the elements of various 
kinds of control systems and appreciation of resource 
implications. 

3 Management 

An understanding of the theory of management and 
basic management skills including control of work, 
motivation, management of resources and decision 
taking. 

4 Principles and practice of internal auditing 

(a) An understanding of the theory of internal audit- 
ing and its history, standards and scope. The role 
and purpose of internal audit within the organisation 
and the requirement for independence and objectiv- 
ity. The relationship between internal audit and 
management (at various levels), management 
services and external audit. 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 

Appendix 1 



(b) An understanding of the various types and 
approaches to audit including operational audit, 
value for money audit, contract audit, and financial 
audit. The place of vouching and verification. In 
particular a thorough grounding in the systems 
approach. 

(c) An appreciation of audit management including 
assignment management, audit preparation, 
procedures and practices. The theory of manage- 
ment of internal audit including resource control 
and performance measurement. 



5 Audit techniques 

The understanding and practical application of 
various techniques including: 

(a) interviewing 

(b) documentation 

(c) internal control questionnaires 

(d) flowcharting 

(e) evaluation of systems 

(f) testing 

(g) analytical techniques 

(h) reporting 

(i) statistical sampling 

6 Basic computing and computer auditing 

(a) An appreciation of the computer environment 
and organisation. An understanding of the elements 
of computerised systems including facilities, hard- 
ware, software, programs and operations. 

(b) An introduction to the audit of computerised 
systems including applications, installations and the 
use of computers as an audit tool. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 1/83 



B3 

Appendix 1 



(c) An appreciation of the effects of computerisation 
on systems and the implications for management in 
using such systems. 

(d) An appreciation of the audit implications of 
computerised systems. 



GIAM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 

Appendix 2 



Computer Audit Training Standard 



The purpose of this standard is to indicate the level 
and range of knowledge required by internal audit 
units to perform competently in the three main ele- 
ments of computer audit: the audit of applications, 
computer installations and systems development. 

All computer auditors require a minimum general 
and practical DP knowledge and a thorough under- 
standing of all aspects of control (standards 1 , 2 and 
3). In large audit units it may be possible for some 
auditors to specialise in one or other of the elements. 
This should be reflected in the range of formal 
training and experience provided. 

Computer auditors may specialise within the com- 
puter audit function as recognised by the standard. 
They need to be continually trained in order to keep 
up to date in this rapidly changing field. 

The computer auditor needs a knowledge and under- 
standing of computing in addition to the skill and 
knowledge of a trained auditor. Therefore this 
standard complements the basic audit training 
standard. It indicates the required training for: 

Computing and computer systems 

Computer audit techniques and approaches 



GIAM 1/83 



Issued under DAO 21/82 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 

Appendix 2 



COMPUTING AND COMPUTER SYSTEMS 

1 General DP knowledge 

The ability to converse fluently with DP staff. This 
will require an understanding of the concepts and 
terminology of programming, systems analysis and 
operations and of computer hardware and software, 
processing, project management and familiarity with 
the DP environment. 

2 Practical DP knowledge 

The ability to ascertain and document computer 
systems. This will require a knowledge of program- 
ming, including the ability to use a high level 
language, and of systems analysis sufficient to work 
with system documentation normally without assist- 
ance. In the case of systems analysis the minimum 
level required will be the equivalent to that needed 
for the NCC basic certificate. 

3 Internal control and computers 

The ability to evaluate the adequacy of internal 
control. This requires a thorough understanding of 
the means of establishing adequate internal control 
in the DP field, including applications, installations 
and systems development. 

4 Job related DP knowledge 

An understanding of the particular methods 
employed by the auditor’s organisation in his area 
of audit responsibility. 



COMPUTER AUDIT TECHNIQUES AND 
APPROACHES 

5 Basic audit 

A detailed working knowledge and competence in 
the practice of internal auditing as specified in the 
basic audit training standard. 

6 Computer audit 

A detailed working knowledge and competence in 
the audit of: 

GIAM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



B3 

Appendix 2 



(a) applications 

(b) installations 

(c) systems development. 

The requirement for an individual computer auditor 
to possess each of these elements will depend on his 
particular area of responsibility. 

7 Computer assisted audit techniques (CAATs) 
The ability to use/manage the use of CAATs as part 
of audit testing or for other purposes. This will 
require a knowledge of a standard file interrogation 
package and an understanding of other CAATs. 
Proficiency in programming CAATs may not be 
required by all computer auditors. 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Due Professional Care 



In carrying out their duties internal auditors should 
exercise due professional care, that is with com- 
petence based on appropriate experience, training, 
ability, integrity and objectivity. 



Introduction 
Personal integrity 
Compliance with standards 
Reliance on other auditors 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B4 



Introduction 

1 Due professional care calls for the application of the care and skill 
which would be expected of a reasonably prudent and competent internal 
auditor in the same or similar circumstances. Professional care should, 
therefore, be appropriate to the complexities of the audit being performed. 

2 In exercising due professional care, internal auditors should identify 
inadequate controls and recommend improvements to promote conformity 
with acceptable procedures and practices. In addition, they should be alert 
to the possibility of intentional wrongdoing, errors and omissions, 
inefficiency, waste, lack of economy, ineffectiveness, and conflicts of 
interest. They should also be alert to those conditions and activities where 
irregularities are most likely to occur. 

3 Due care implies reasonable care and competence, not infallibility or 
extraordinary performance. Due care requires an auditor to conduct 
examinations and verifications to a reasonable extent, but does not 
normally require detailed transactions audits. Accordingly, internal audit- 
ors cannot give absolute assurance that non-compliance or irregularities 
do not exist. An internal auditor should, nevertheless, consider the effect 
of significant systems weaknesses and the possibility of material irregu- 
larity or non-compliance when undertaking an internal auditing assign- 
ment (see B8.4). 

4 Exercising due professional care means using reasonable audit skill and 
judgement in performing an audit. To this end, an internal auditor should 
consider: 

(a) audit objectives and the work needed to achieve them 

(b) the relative materiality or significance of matters to which audit 
procedures are applied 

(c) the adequacy and effectiveness of internal controls 

(d) the cost of control in relation to potential benefits. 

5 Due professional care includes evaluating operating standards and 
determining whether those standards are appropriate and are being met. 

In cases of doubt about such standards, authoritative interpretations 
should be sought. If internal auditors are required to interpret or identify 
operating standards, they should seek agreement with auditees as to the 
standards to measure performance for that assignment. 

Personal integrity 

6 An auditor should be fair and not allow prejudice or bias to override 
objectivity. He should maintain an impartial attitude and be, and appear 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



E4 



to be, free of any interest which might be regarded, whatever its actual 
effect, as being incompatible with integrity and objectivity (see B2. 10-17). 

7 An auditor should use all reasonable care in obtaining sufficient, 
relevant and reliable evidence on which to base his conclusions (see B6.3). 

8 In reporting an auditor should reveal all material facts known to him 
which, if not revealed, could either distort his report or conceal unlawful 
practice (see B7.7). 

9 Information acquired by ah auditor in the course of his work should 
not be used for purposes outside the department nor for his personal 
benefit or gain. 

10 An auditor should not accept a fee or gift from an auditee, employee, 
client, supplier or other third party. 

Compliance with standards 

11 Internal auditors should comply with these standards. They should 
be able to demonstrate that their work has been performed accordingly. 

12 The Head of Internal Audit is responsible for the maintenance of 
these standards in his department. He should establish methods of evalu- 
ating the operations of the internal audit unit to provide reasonable 
assurance that audit work conforms with these standards and that the 
audit unit fulfils its responsibilities (see B5. 23-25). 

Reliance on other auditors 

13 Where the Head of Internal Audit relies on the work of auditors not 
on his staff (hereafter called secondary auditors) he should be satisfied 
that such arrangements, together with any additional work he considers 
necessary, adequately protect his Accounting Officer (see Bl.ll). 

14 The precise nature and extent of a secondary auditor’s responsibilities 
should be unambiguous. They should be formally specified and 
acknowledged. 

15 Secondary auditors should appreciate the reliance which is being 
placed on their work. They should make available information or files 
which may be requested by the Head of Internal Audit. 

16 Before relying on the opinion of secondary auditors the Head of 
Internal Audit should be satisfied: 

(a) with the auditing standards governing their work 

(b) regarding any limitations placed on their work 

(c) with the nature, extent and adequacy of their examination. 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B4 



17 Where the Head of Internal Audit arranges for specific tasks to be 
carried out by a secondary auditor he should ensure, by detailed review 
or other method, that the specified tasks have been satisfactorily carried 
out and where appropriate obtain a certificate to this effect. 

18 In determining the extent of his enquiries into work performed by a 
secondary auditor, and in selecting any review procedures required, the 
Head of Internal Audit should consider the materiality of the amounts 
involved or subject under review. 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B5 



Planning, Controlling asad 
Recording 



Internal audit work should be planned, controlled 
and recorded at all levels of operation in order to 
establish priorities, achieve objectives, ensure 
efficiency and the effective use of audit resources. 



Introduction 

PLANNING 

Principles 

Assessment of audit need 
Operational plans 

CONTROLLING 

Staff performance 

Audit policies and procedures 

Supervision 

Quality assurance 

RECORDING 
Documentation 
Working papers 
Retention of audit records 



GIAM 12/83 (amended) 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B5 



Introduction 

1 The work of an internal audit unit should be planned, controlled and 
recorded at each level of operation and throughout individual audits to 
ensure that a continuous and effective level of internal audit is being 
maintained. Planning, controlling and recording are considered separately 
although they are not mutually exclusive. 

PLANNING 

2 The Head of Internal Audit should prepare plans to carry out the 
responsibilities of the internal audit unit for approval by the Accounting 
Officer, taking into account the advice of the department’s Audit 
Committee if there is one. 

Principles 

3 Planning enables an internal audit unit to achieve its objectives. To be 
adequate, plans should: 

(a) establish a schedule of service activities and systems and ascribe a 
period within which it is desirable that each activity and system should 
be examined 

(b) define the tasks to be performed 

(c) assist in the direction and control of work by identifying critical areas 
of work and setting target dates. 

4 In order to plan adequately the Head of Internal Audit should: 

(a) define audit needs taking into account the scope of audit activity and 
the assurance required (see Bl.1-3) 

(b) identify the staff and other resources needed and reconcile with 
available resources (see B3.3) 

(c) determine the time period of the audit plans 

(d) monitor work against plan and report significant variances (see B2.7). 

5 The emphasis of audit plans will change from time to time. This might 
be caused by changes within services, departmental reorganisation, system 
amendments or as a result of a decision to concentrate on a specific topic 
or aspect. Plans must be sufficiently flexible to allow prompt response to 
unscheduled work. 

6 Audit plans must be based upon a comprehensive understanding of 
the department and the way in which it operates. Operations of high risk 
and any known problem areas should be clearly identified and the emphasis 
of the audit plan so directed. 

G1AM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B5 



Assessment of audit need 

7 The audit needs of a department should be considered before giving 
weight to factors relating to time or resources. A comprehensive assessment 
of internal audit needs should be produced before the Accounting Officer 
can adequately determine audit scope (see Bl.1-3). The needs assessment 
should be subject to continuing review arising from changes in a depart- 
ment, and should be completely reassessed at least every five years. 

8 The needs assessment process should involve: 

(a) identifying all major areas of work, by system and sub-system 

(b) determining which work areas could and should be audited 

(c) consulting senior management for views on high risk areas 

(d) assessing the risk factors in each work area 

(e) estimating the time required to audit all identified areas. 

9 Audit results should be continually assessed for any implications on 
priorities. Critical areas of work which prove to warrant considerable, 
and early, audit examination may not be reflected in the initial assessment 
of audit need. 

10 Staff and other resources required to meet perceived needs within the 
determined scope of internal audit activity should be measured and 
assessed (see B1.3). Where existing resources are inadequate the Head of 
Internal Audit should refer to his Accounting Officer who should decide 
whether: 

(a) additional resources should be provided 

(b) audit scope should be modified 

(c) time scales should be extended. 

Operational plans 

11 Operational plans should be based on priorities indicated in the needs 
planning process and expected resources. Whilst their precise nature will 
depend on the complexity and size of a department they should reflect 
the need for long-term, annual and individual audit plans. 

(a) Long-term plan 

This should be a strategic plan for a period of about two to five years, 
and should be reviewed annually. It should set out audit objectives, areas 
to be covered and frequency of cover reconciled with expected resources. 

(b) Annual (short term) plan 

This should translate the long term plan into audits to be carried out in a 
coming year or shorter period. It should define the purpose of individual 
audits and allocate staff. 

GIAM 12/83 (amended) 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B5 



(c) Audit work plans 

These should be prepared for each audit as it is arranged, noting objectives, 
locations, resources, duration, methods, procedures, supervision, reporting 
and other relevant factors. 

12 The long term and annual audit plans should be reviewed at least 
annually to take account of audit findings and developments in the 
department. These plans should be approved by the Accounting Officer 
(see B2.7). 



CONTROLLING 
Staff performance 

13 Audit management should continually monitor auditor performance. 
Significant variations from work plans should be investigated and dealt 
with at an appropriate level. 

14 The outcome of each audit or group of audits should be reviewed 
against plans so that efficiency is assessed and any necessary revisions to 
plans are made. 

Audit policies and procedures 

15 The Head of Internal Audit should provide written policies and 
procedures to guide audit staff, the form and content of which should be 
appropriate to the size and structure of his audit unit and its work. 

16 Local administrative and technical audit manuals may not be needed 
by all internal audit units. For instance a small unit may be managed and 
its staff directed and controlled through daily, close supervision and 
written memoranda. In a large internal audit unit more formal and 
comprehensive policies and procedures are essential. 

17 A formal procedure should be established for drawing the attention 
of audit management and staff to such matters as the appropriateness of 
standard documentation, new work areas, new systems or problems which 
require central guidance. 

Supervision 

18 The Head of Internal Audit should ensure that internal auditors are 
properly supervised to ensure that audit work is properly performed (see 
B6.13). 

19 Supervision should be carried out continually, and includes: 

(a) ensuring conformity with these standards and departmental procedures 

OlAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B5 



(b) providing suitable instructions to subordinates at the outset of an 
audit and approving work programmes 

(c) making sure that work programmes are carried out unless deviations 
are both justified and authorised 

(d) determining that working papers adequately support audit findings, 
conclusions and reports 

(e) ensuring that appropriate audit techniques are used 

(f) making sure that audit reports are accurate, objective, clear, concise, 
constructive and timely 

(g) determining that audit objectives are being met within allocated time 
budgets as far as possible. 

20 The extent of supervision required will depend on the proficiency of 
each internal auditor and the difficulty of each audit assignment. 

21 Evidence of supervision should be documented and retained. 

22 The auditor in charge of an audit should regularly report to his 
supervisor. Where audit findings indicate a significant need for priorities 
to be re-assessed or for more extensive work, the auditor in charge should 
discuss this with his supervisor. Audit management should be informed 
of any significant effect on, or variation from, operational plans. 

Quality assurance 

23 The Head of Internal Audit should establish review arrangements to 
evaluate the operations of the internal audit unit (see B4.12). 

24 Internal reviews should be undertaken periodically by members of the 
internal audit staff to appraise the quality of audit work and its supervision. 
These reviews should be performed in the same manner as an internal 
audit. They should be selectively applied over the range of completed or 
progressing audit assignments. 

25 External reviews of the internal audit unit should be performed to 
appraise the quality of its operations. These reviews should normally be 
undertaken by suitably experienced internal auditors who do not have a 
conflict of interest. 



RECORDING 

Documentation 

26 The Head of Internal Audit should specify standards of audit 
documentation and satisfy himself that those standards are maintained. 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B5 



Working papers 

27 Working papers should be prepared as each audit proceeds and be 
reviewed by audit management. They should include the bases and extent 
of planning, work performed, information obtained, analyses produced, 
conclusions drawn and evidence of review. 

28 Working papers should be standardised to improve efficiency, 
facilitate delegation of work and to help control quality. 

29 Working papers should be sufficiently complete and detailed to enable 
an experienced auditor with no knowledge of the department to establish 
that correct conclusions were drawn. 

Retention of audit records 

30 Audit files, working papers and other records should be retained for 
a reasonable period and filed in a manner which ensures their safe custody 
and confidentiality. 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B6 



Audit Evidence 



Internal auditors should ensure that relevant, reliable 
and sufficient audit evidence supports their 
conclusions and recommendations. 



Introduction 

Relevance 

Reliability 

Sufficiency 

Supervision 



01 AM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



B6 



Introduction 

1 Audit evidence is information which an internal auditor should obtain 
to give a reasonable basis for his opinions, judgements, conclusions and 
recommendations . 

2 Audit evidence is arrived at by such means as inspection, observation, 
enquiry, analysis, computation and confirmation. Sources include account- 
ing and other systems and underlying documentation, tangible assets, 
management and staff, suppliers and other third parties who have dealings 
with or knowledge of a department or its business. 

3 The type and amount of evidence needed are questions for an auditor 
to determine by exercising judgement in the light of the objectives of an 
audit assignment. This judgement will be influenced by the significance 
of the matter under review, the relevance and reliability of evidence 
available, and the cost and time involved in obtaining it. 

4 Information should be collected on all matters related to the objectives 
and scope of an assignment. 

Relevance 

5 To be relevant, evidence should support audit findings and recommen- 
dations and be consistent with the objectives of an audit assignment. 

Reliability 

6 The reliability of audit evidence is dependent on the particular circum- 
stances of each audit but the following factors generally apply: 

(a) documentary evidence is more reliable than oral evidence 

(b) evidence obtained from independent sources outside the audited area 
is more reliable than that secured solely from within 

(c) evidence originated by the auditor, by such means as analysis and 
physical inspection, is more reliable than evidence obtained from 
others. 

7 Reliable evidence can be achieved through the use of appropriate audit 
techniques which should be selected in advance, where practicable, and 
expanded or altered during an audit if necessary. 

8 A balance should be maintained between evidence originating from the 
auditor, evidence from within the audited area and evidence obtained from 
other sources. 

9 Internal auditors should consider whether the conclusions drawn from 
differing sources and types of evidence are consistent. When evidence 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



obtained from one source appears inconsistent with that obtained from 
another, the reliability of each remains in doubt until further work has 
been done to resolve the inconsistency. However, when the individual 
items of evidence relating to a particular matter are all consistent, an 
auditor may obtain a cumulative degree of assurance higher than that 
which he obtains from the individual items. 

Sufficiency 

10 An auditor’s judgement as to what constitutes sufficient evidence is 
influenced by such factors as: 

(a) knowledge of a department and its systems 

(b) the nature and materiality of the matters under review 

(c) the risks involved 

(d) the persuasiveness of the evidence 

11 To be sufficient, evidence should be factual, adequate and convincing 
so that a prudent, informed person would be able to understand how the 
auditor reached his conclusions. It does not have to demonstrate that error 
or loss has occurred. 

12 Auditors should obtain all the evidence considered necessary for the 
achievement of audit objectives. 

Supervision 

13 The process of collecting, analysing, interpreting and documenting 
evidence should be supervised to provide reasonable assurance that an 
auditor’s objectivity is maintained and that audit objectives are met 
(see B5. 18-22). 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B7 



Reporting 



The findings and recommendations arising from each 
audit should be promptly reported to management 
and followed up to ascertain action arising therefrom. 



Introduction 
Issue of reports 
Follow-up 
Activity reports 



G1AM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B7 



Introduction 

1 A written report or other record should be issued after each audit 
examination is completed. Interim reports may be written or oral and be 
presented formally or informally. 

2 The Head of Internal Audit should have complete freedom in the way 
in which he reports his findings. He should report, without editing, in his 
own name (see B2.8). 

3 Procedures should be established within the department for considering 
internal audit reports and for instituting any action arising therefrom. 

4 Internal auditors should communicate their findings promptly in a 
concise and understandable manner that assists management in finding 
solutions to revealed weaknesses. 

Issue of reports 

5 Internal auditors should normally agree facts and discuss conclusions 
and recommendations at appropriate levels of operational management 
before issuing final reports. 

6 The Head of Internal Audit or auditor designated by him should review 
and approve final audit reports before they are issued and decide to whom 
they will be distributed within the department. 

7 If the internal audit unit cannot produce unbiased judgements, opinions 
and recommendations on an audited activity this should be declared 
prominently in the audit report (see B2.17 and B4.8). 

8 Reports should normally be sent to the management of the operation 
examined and to other responsible managers as necessary. They should be 
directed to those levels of management which will ensure proper consider- 
ation and action on recommendations. 

9 Reports should indicate the purpose, scope, and results of an audit 
and, where appropriate, contain an expression of the auditor’s opinion. 

10 Reports should include recommendations for potential improvements 
and may acknowledge satisfactory performance and corrective action. 

11 The auditee’s views on audit conclusions or recommendations may 
be noted in the audit report. 

Follow-up 

12 Operational management is responsible for indicating within an estab- 
lished time scale, and in accordance with departmental arrangements, 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 1/83 



B7 



whether or not it concurs with internal audit observations, and what action 
is being taken, 

13 The internal audit unit should follow up to ascertain that appropriate 
action is taken on reported audit findings, or that management has under- 
stood and assumed the risk of not taking corrective action (see B1.14). 

14 As the internal audit unit is providing assurance to the Accounting 
Officer, the Head of Internal Audit should refer significant matters which 
are not resolved to more senior levels of management within the department 
until he is satisfied, 

15 The Head of Internal Audit should draw the attention of the Principal 
Finance Officer and in due course, where appropriate, the Accounting 
Officer to significant recommendations which have not received adequate 
attention. 

Activity reports 

16 The Head of Internal Audit should submit to his Accounting Officer 
annually, or more frequently if necessary, a report of audit activity and 
results. This should also draw attention to major audit findings where 
action appears to be desirable but has not been taken (see B2.7). 



01 AM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Fraud and Irregularity 



Internal auditors should endeavour to reveal any 
serious defects in systems of internal control which 
might lead to the perpetration of fraud, irregularity 
or malpractice. 



Introduction 

Responsibilities of internal audit 
Suspected fraud 



G1AM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B8 



Introduction 

1 As used in this standard, fraud means any deliberate irregularity or 
intentional misrepresentation. It may involve: 

(a) manipulation, falsification or alteration of records or documents 

(b) suppression or omission of the effects of transactions from records or 
documents 

(c) recording of transactions without substance 

(d) misappropriation or wilful destruction or loss of assets 

(e) misapplication of accounting or other regulations or policies. 



Responsibilities of internal audit 

2 The responsibility for the prevention and detection of fraud rests with 
line management who should institute an adequate system of internal 
control to discharge this responsibility. Internal audit cannot substitute 
for adequate accounting, supervisory, security and other essential arrange- 
ments. 

3 The detection of fraud is not a primary responsibility of an internal 
audit unit. Audit testing normally involves inspecting a sample of trans- 
actions. The purpose of this testing is not to detect isolated instances of 
fraud or questionable payments although these may sometimes be revealed 
in the process. 

4 An internal auditor should be alert for indications of fraud and illegal 
or improper expenditure or activities revealed in areas under examination. 
He should identify systems where too much trust has been placed in one 
person and transactions where there is an inherently high risk (see B4.3). 

5 Internal auditors should recommend the adoption of or strengthening 
of controls which make fraud more difficult, or promote prompt detection, 
having regard to the degree of risk involved. 

6 The responsibilities of the internal audit unit for the investigation of 
fraud should be defined in relation to that of investigatory branches or 
authorities. Auditors should be careful to avoid taking over the role of 
others or of compromising subsequent investigations in any situation where 
there is a possibility that a criminal offence may be involved. 

7 The Head of Internal Audit should issue written procedures to be 
followed if fraud or malpractice are discovered by his staff. These should 
be agreed with senior management. 

GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B8 



8 The Head of Internal Audit should make appropriate arrangements, 
within departmental constraints, to be informed as soon as possible of all 
suspected or discovered fraud. He should consider any implications in 
relation to the internal control system. 

Suspected fraud 

9 Where an auditor suspects the possibility of fraud he should not be 
tempted to keep his suspicions to himself until he has obtained conclusive 
proof. He should discuss his suspicion with his audit manager or supervisor 
at an early stage and certainly by the time he has obtained prima facie 
evidence of fraud. 

10 An auditor should recognise that evidence may form the basis of 
proceedings to which legal constraints apply. Evidence taking in cases of 
suspected fraud comes within the scope of the Judges Rules. 

11 When fraud is suspected the appropriate authorities within the depart- 
ment should be informed. The internal audit unit should recommend 
whatever investigation is considered necessary in the circumstances. There- 
after the internal audit unit should follow up to see that their responsibil- 
ities have been met. 

12 An auditor should ensure that any suspicion of corruption is investi- 
gated and reported in the same manner as suspected fraud. 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Relationships 



Relationships with management, staff, external 
auditors and other review agencies should be centred 
on the need for mutual confidence, understanding 
of role and co-operation. 



Introduction 

Protocol 

External auditors 
Other review agencies 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



B9 



Introduction 

1 Management and staff at all levels must have complete confidence in 
the integrity, independence and capacity of the internal audit unit. This 
should be reflected and maintained in good working relationships betweei 
auditors and auditees. 



Protocol 

2 There is a privileged relationship between the internal auditor and 
management. Matters which arise during an audit are confidential to those 
concerned within the department (see B4.9). 

3 Auditors should bear in mind the need to advise and consult with 
management when arranging audits. Except where an unannounced visit 
is part of the audit approach, audit visits should normally be carried out 
by prior arrangement with auditees. 

4 An auditor should be careful to observe proper rules of behaviour. 
During audit visits he should be aware of local protocol. 

5 Reports should not normally be issued without the knowledge of those 
concerned (see B7.5-11), 

External auditors 

6 Internal auditors should be familiar with the clauses in the Exchequer 
and Audit Department Acts which define the statutory responsibilities of 
the Comptroller and Auditor General. These are set out in Appendix 1 of 
‘Government Accounting’. 

7 Internal auditors should recognise the differences in their role and that 
of external auditors. Exchequer and Audit Department staff are indepen- 
dent of departments, and their work enables the Comptroller and Auditor 
General to report to Parliament on departments’ financial statements and 
more widely on their stewardship of public funds. An internal audit unit 
reports within its own department and its allegiance is to the department’s 
Accounting Officer. 

8 The Head of Internal Audit should promote mutual co-operation 
between his staff and external auditors. This may involve: 

(a) periodic meetings to discuss matters of mutual interest 

(b) access to each other’s plans, systems notes and audit results 

(c) mutual consultation on audit plans and visits 

(d) common understanding of audit techniques, methods and terminology. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 1/83 



9 Exchequer and Audit Department staff will review the effectiveness of 
an internal audit unit as part of their evaluation of departmental manage- 
ment control arrangements and to determine the extent to which they may 
rely on the work carried out. 

10 Internal auditors should not normally undertake external audit tasks 
which they would not perform themselves for internal audit purposes. 

Other review agencies 

11 Internal auditors should have regard to the work of other review 
agencies such as management services and staff inspection. However, any 
arrangements made to promote good working relationships should not 
prejudice the effectiveness and independence of the internal audit unit 
(see B2.5 and B2 10-17). 

12 Audit reports should be released to other review agences only with 
the formal approval of the Head of Internal Audit and the auditee should 
be informed. 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



PRACTICE 



This section outlines the professional practice of 
internal auditing in government departments and 
non-departmental public bodies. 



Cl Systems and controls 

Concepts 

Internal control techniques 

€2 Systems auditing 

Introduction 
Ascertain and record 
Define control objectives 
Identify and evaluate controls 
Test controls 
Arrive at conclusions 

€3 Control of audit 

Audit planning 
Audit documentation 
Audit reporting 
Audit management 

C4 Supplementary 

Audit of developing systems 
Audit of shared systems 
Audit role in relation to NDPBs 
Risk and materiality 



GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Systems and controls 



1 Concepts 

2 Internal control techniques 



GUAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



Cl.l 



Concepts 



Introduction 

SYSTEMS 

INTERNAL CONTROL 

Management control 

Development 

Relevance 

Cost 

Limitations 

Internal audit’s responsibility 



GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



Cl.l 



Introduction 

1 A department’s internal control system is defined in A3 as ‘the whole 
system of controls, financial and otherwise, established by management in 
order to carry on business in an orderly and efficient manner, ensure 
adherence to management policies and directives, safeguard assets and 
secure as far as possible the completeness and accuracy of records’. 

2 For internal auditors to adequately measure and evaluate an internal 
control system it is essential that they understand its nature. This requires 
an appreciation of some basic concepts of both systems and internal 
control. 

SYSTEMS 

3 A system is a series of related procedures designed to operate together 
to achieve a planned objective. In theory, any organisation or operation or 
part of one can be regarded in systems terms, where resources (inputs) are 
organised (processed) to provide results (outputs) in accordance with 
predetermined purposes (objectives). All organisations have a variety of 
systems which vary considerably in nature and purpose. Systems interact to 
provide the mechanism through which an organisation functions. 

4 The number of systems and their complexity will reflect the work of a 
department. One system may include features of others, for example 
payroll and personnel management, and some, such as accounting, may 
include features of all. There may be a strict division between one system 
and another but the dividing line will often be a matter of judgement. 

5 Every system works in three dimensions: within itself, with other 
systems in the organisation and with influences from outside it. Each 
system is operated by people with varying strengths and weaknesses. It will 
be subject to change. Systems need to be controlled to ensure that 
management’s objectives are achieved as planned. 

6 Systems are made up of the following: 

(a) inputs - the resources which feed the system either for conversion 
during processing or as aids to conversion 

(b) processing - the manipulation or conversion of resources within the 
system 

(c) outputs - the product of a system derived from processing 

(d) relationships -influences from outside the immediate system such as 
the impact of other systems and the effect of other organisational 
procedures 

(e) control- the means by which management regulates the operation of 

GIAM9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



Cl.l 



the system. This is achieved by a network of preventive and detective 
techniques as discussed in Cl. 2. 

7 Procedures, operations, functions and other activities within a system 
can be divided into: 

(a) processes which aim to progress transactions or information through a 
system 

(b) controls which aim to ensure that processing operates to: 

effect the department’s business in an orderly and efficient manner 
ensure adherence to management’s policies and directives 
safeguard assets 

secure as far as possible the completeness and accuracy of records 
prevent waste 

INTERNAL CONTROL 

8 However well designed, processing procedures never operate perfectly 
because of the human element and changing circumstances. From these 
arise the possibility of inefficiency, error or deliberate falsification. 
Management therefore introduces and sustains control procedures, over 
and above processing procedures, which together make up a department’s 
internal control system. This is so called because the controls are set and 
operated by the department rather than by an external agent. 

Management control 

9 Controls ensure that processing procedures are operating to achieve 
management’s wishes. Processing in one system may act as a control in 
another. One system, such as accounting or budgetary control, may act as a 
control on others. The absence of controls does not necessarily lead to 
inaccurate output but it means that management cannot rely on the system. 

10 Internal control is a management function starting with the definition 
of systems’ objectives by the Accounting Officer and continuing through a 
department’s plans, systems and organisational structure. It can be 
identified in policies, procedures, regulations, directions, manuals and 
other arrangements. It incorporates the procedures for directing, 
supervising, monitoring and reporting on all operations, functions and 
activities. Individual parts of the internal control system are known as 
‘controls’ ‘or ‘internal controls’. 

11 The key features of management control in an organisation are: 

(a) the definition and establishment of objectives, standards and 
consequent procedures 

GIAM9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



CO 



(b) measuring performance 

(c) examining variances to identify causes 

(d) taking corrective action 

(e) re-appraising and revising on the basis of current experience. 



Development 

12 The internal control system will have developed over time. It will have 
been strengthened by management initiative and its response to internal 
audit activity. It may have been weakened by accident or design by 
management or staff. 

Relevance 

13 The nature, concentration and extent of controls will vary between 
departments and from one part of a department to another. The controls 
used will depend on the nature, volume and vulnerability of transactions, 
the degree of control which management are able to exercise personally, 
geographical distribution of operations, personnel and many other factors. 

14 The internal control system should be sensitive to and reflect the 
current systems used in the department. New and changed systems need to 
be reflected by changes in the internal control system to prevent it 
becoming too stringent, or too weak, or cumbersome. The efficiency, 
effectiveness and economy of internal controls should be kept under 
constant review by management. This itself will form a control. 

Cost 

15 Control costs money and excessive control makes an organisation 
inefficient and lethargic. The need for and costs of alternative controls 
should therefore be weighed against their financial and other 
consequences. The choice of control methods should be based on a 
comparision of costs and expected benefits. 

Limitations 

16 No system of internal control, however elaborate, can by itself 
guarantee efficient administration and the completeness and accuracy of 
processing. It cannot be proof against fraudulent collusion especially on 
the part of those holding positions of authority or trust. Internal controls 
that depend on separation of functions can be avoided by collusion. 
Authorisation controls can be abused by the person to whom the authority 
is given. The competence and integrity of the staff operating controls can 

GI AM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



Cl.l 



be fostered by selection and training but cannot be guaranteed. Any 
system of internal control is also subject to the possibility of human error. 

Internal audit’s responsibility 

17 Internal audit forms a unique part of a department’s internal control 
system as it measures and evaluates the effectiveness of other controls so 
that it can: 

(a) give assurance to the Accounting Officer that the internal control 
system is satisfactory and operates effectively 

(b) serve individual managers by reporting to them on elements of the 
internal control system for which they are responsible. 

18 The internal audit responsibility of reporting on internal control does 
not absolve line management from its responsibility for the maintenance of 
adequate systems. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM9/83 



Cl. 2 



Internal control tech niques 



Introduction 
Organisational controls 

Separation of functions 

Accounting 

Staffing 

Accountability 

Information 

Management 

Supervision 

Internal check 

Authorisation controls 
Documentation controls 
Completeness and accuracy controls 
Systems development controls 
Physical controls 



GIAM9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C1.2 



Introduction 

1 To measure and evaluate controls effectively the internal auditor needs 
to understand their character. This chapter describes basic techniques and 
methods of internal control. It does not seek to describe all the controls 
which may or should exist in a department because these are likely to vary 
from one department to another. 

2 Control techniques should be balanced in their application, appropriate 
to the systems they are seeking to monitor, and relevant to the 
environment as described in Cl.l. 

3 Controls should not be viewed singly as they inter-relate and operate in 
a hierarchy. Such hierarchy may be represented by controls within (and at 
various levels in) a system or be imposed by a higher level (eg budgetary 
control) system. Weakness in one control may be compensated by other 
controls. A major control in one system may have no or only limited 
application in another. 

4 Whatever their composition, controls should: 

(a) achieve the objective of controlling the process/es to which they relate 

(b) together provide an adequate internal control system over all the 
operations of a department. 

5 The objectives and principles of internal control apply equally to 
manual and computer systems though the techniques used may differ. 
Specific controls relating to computer systems are detailed in the Computer 
Audit Guidelines. 

6 Internal controls can be grouped in many different ways. In this chapter 
they are classified by approach and method of operation. 

7 The two main approaches to internal control are mixed in practice to 
achieve management’s control objectives: 

(a) preventive controls — designed to prevent the occurrence of 
inefficiencies, errors or irregularities. These cannot guarantee that 
the controlled factor will not occur but reduce the chance of it 
occurring. Cost, human fallibility and the possibility of collusion 
mean that preventive controls cannot eliminate risk. 

(b) detective controls — designed to detect inefficiencies, errors or 
irregularities. They do not give absolute assurance but increase the 
chance of detection. Detective controls help to ensure that errors are 
identified and corrected on a timely basis. In the case of error only the 
actual error detected can be corrected. Where the error is one of 
inefficiency or lack of authorisation , corrective action should follow to 
lessen the chance of repetition. 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C1.2 



8 Grouping of controls by method, as described in the following 
paragraphs, helps an auditor’s understanding of control techniques. Some 
controls (ie internal check) can be classified under more than one heading 
and some over-lap. All inter-relate to provide effective internal control. 

ORGANISATIONAL CONTROLS 

9 These controls cover the way a department is organised. 1 hey ai e 
critical in an auditor’s consideration of the internal control system. If they 
are inadequate the auditor will be unable to give assurance on the 
adequacy of the internal control system in general and on individual 
systems in particular. The lack of separation of duties, supervision or 
well-defined responsibilities reduces the effectiveness of other controls. 



Separation of functions 

10 This involves the separation of individual duties or functions within , 
and at a higher level, between divisions. Responsibilities and procedures 
should be allocated in such a way that no individual or single group has 
exclusive control over any one transaction or group of transactions. 
Incompatible functions would permit one person both to perpetrate and 
conceal errors or irregularities. 

11 Functions which should be separated include: 

(a) custody of assets (including access to cash and easily convertible assets) 
and recording or reporting the same assets or related transactions 

(b) custody of assets and authorisation or approval of related transactions 

(c) authorisation or approval of transactions and their recording or 
reporting. 

12 When an organisation is too small to permit proper separation of 
duties this control may be partly achieved by a sensible rotation of duties. 

Accounting 

13 The accounting function should not have responsibility for other areas 
of the department’s operations nor should it have responsibility for any 
custody of assets. As a general rule, anyone performing an accounting role 
should not have access to assets that can be converted to personal gain. 



Staffing 

14 Systems are more likely to operate as intended if the people operating 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



them are competent and trustworthy. The employment of competent staff 
does not make an internal control system adequate. Control should not 
depend on one individual; people have failings and may become bored, 
dissatisfied, distracted by personal problems or inefficient. Incompetent or 
dishonest people can, by accident or design, weaken or negate even the 
strongest internal control system. Procedures to ensure that all staff have 
the capabilities and qualities needed for their work are therefore important 
features in an internal control system. 



Accountability 

15 A plan of the department’s organisation should define and allocate 
responsibilities and identify lines of reporting for all aspects of its 
operations including controls. This will involve placing operations into 
appropriate divisions or branches, then defining and allocating 
responsibilities to specific individuals, as featured in a budgetary control 
system. 

Information 

16 There should be continuous and adequate information on the financial 
and operational performance of all activities within a department. Reports 
to management should indicate levels of activity and performance required 
and achieved, including the planned and actual use of resources, within a 
time frame. Controls should exist to ensure that corrective action is taken 
where necessary. 



Management 

17 These are controls exercised by management outside the day-to-day 
routine of the system. They include the overall supervisory controls 
operated by management. Higher level controls designed to inform 
management that lower level systems are operating as intended are 
included in this category. 

18 Overall supervision by senior mangement of the department in 
general, and of other internal controls in particular, is an important 
element of control. Effective supervision by management in this context 
involves: 

(a) supervision or personal operation of a control at key points within the 
internal control system so that important breakdowns may be detected 

(b) overall supervision of the department through normal management 
processes including reviews of financial and other reports and the work 

GIAM 9/H3 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Cl. 2 



of review agencies such as management services and staff inspection 

(c) achieving a balance between local discretion and central control aided 
by a free flow of information between the centre and other parts of the 
department 

(d) monitoring performance against relevant indicators 

(e) monitoring the continuing effectiveness of other controls by reviewing 
errors detected by these controls and through internal audit 



Supervision 

19 The system of internal control should include supervision by 
responsible officials of day-to-day transactions and their recording. This 
may be continuous or by sample checks and it should be evidenced. 
Depending on the nature and size of operations it may, in part, be coupled 
with the management functions described above. These controls should 
include adequate deputising arrangements when a supervisor is absent. 

20 Supervisory checks ensure that other checks and controls are working 
properly. They are additional to the checks noted in paragraph 23 because 
they work selectively at a more senior level. They can include the 
following: 

(a) checks carried out by a certifying officer to satisfy himself that controls 
over what he is certifying have operated 

(b) specific enquiries into the causes of variances shown in routine reports 

(c) ensuring that leave is taken and that adequate arrangements are made 
to reorganise staff duties during periods of leave, sickness or staff 
shortage. 



Internal check 

21 Internal check is often so built into a department’s organisation and 
procedures that it is taken for granted. The need for this control must be 
recognised and considered particularly when developing new or changing 
existing systems and procedures. 

22 Procedures for segregating incompatible functions are strengthened 
by a sound system of internal check, in which checks on transactions 
operate continuously as part of the routine. For example the work of one 
person may be proved independently by, or be complementary to, the 
work of another. The internal auditor should consider the use of such 
arrangements in the widest sense to include any check on one person’s 
work by another even at higher levels such as decision-making. 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Cl. 2 



23 Where internal check arrangements are impracticable or inadequate 
routine supervisory checks, such as sample checks on completed 
transactions, are sometimes undertaken. 

24 Internal check is part of the work routine and not a function of 
internal audit which should have no involvement in the administration of 
control procedures, routine or otherwise. 

AUTHORISATION CONTROLS 

25 These controls ensure that: 

(a) all transactions are authorised 

(b) each transaction conforms with the terms of its authorisation 

(c) authorisation or approval is given at the right time and formally 
communicated by appropriately senior officers whose limits of 
authority are specified. 

26 Authorisation may be general or specific. Management may, for 
instance, issue written directions which give general authority for 
categories of transactions or operations such as the purchase of specified 
equipment within given limits. A specific authorisation would, however, be 
limited to individual items such as the purchase of certain goods from a 
particular supplier. 

DOCUMENTATION CONTROLS 

27 Documents include any media on which transactions are entered and 
summarised and through which information is transmitted. Documentation 
controls are primarily preventive controls. They include the maintenance 
of up to date manuals of policies, procedures and systems and help to: 

(a) ensure that procedures are established as intended 

(b) give staff a clear understanding of their duties and responsibilities 

(c) improve efficiency 

28 Documents and records should be: 

(a) sufficiently simple to make sure that they are clearly understood 

(b) laid out to make it easy to record transactions 

(c) designed to encourage correct completion and subsequent control, for 
example, a document might include instructions for proper routing, 
blank spaces for authorisations and columns for specified numerical 
data 

(d) pre-numbered consecutively, where appropriate, to help identify 
missing documents 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



Cl. 2 



(e) designed for multiple use where possible to minimise the number of 
entries and possibility of error, for example, copies of a well designed 
purchase order set can be used to record commitments, as authority for 
receiving goods into store and as the form for authorisation of 
payment. 

COMPLETENESS AND ACCURACY CONTROLS 

29 These are the controls which check that all transactions are included, 
correctly recorded and accurately processed. They include checks on the 
arithmetical accuracy of records, the keeping and checking of totals, 
reconciliations, control accounts and trial balances etc. 

30 Controls to ensure the initial recording of all transactions are 
particularly important. To minimise the risk of non-recording each 
transaction should be recorded as close to its occurrence as possible. 

31 Assurance that the processing of transactions is complete and accurate 
comes mainly from the following detective controls: 

(a) sequence checking -of pre-numbered documents which gives 
assurance on the completeness of records but not about accuracy. For 
example, prime documents such as goods received notes and payable 
orders may be pre-numbered and all numbers accounted for. 

(b) comparison - of one set of records or documents with another can 
detect discrepancies. For instance, a payable order may be compared 
with the appropiate orders or goods received notes. The basic 
assumption behind the effectiveness of this control is that the data is 
complete. 

(c) control totals — which are compared to check consistency at the 
beginning, during or at the end of a process. A control operates for the 
process on which the total is taken but it is fundamental that the totals 
are checked independently. For example, payable orders may be 
prepared in batches and a total taken and checked with a total taken 
when the individual items were recorded. If the total covers the 
number of items and not their values the control only covers the 
number of records. If, however, the values are totalled control is 
exercised over the overall accuracy of the recording process, but not 
over the possibility of compensating errors. 

(dj re-performance — repeating an operation and comparing the result with 
the first result. Its effectiveness rests on the assumption that it is 
unlikely that two people will make the same mistake or that both will 
fail to detect the same error. Economy dictates that such validation is 
used sparingly, where other controls will not be effective. It is normally 
applied in checking calculations. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



CL2 



SYSTEMS DEVELOPMENT CONTROLS 

32 These are management’s controls over the development of new 
systems and modifications to existing systems or procedures. Their purpose 
is to ensure that: 

(a) the effect of systems changes on the internal control system is properly 
assessed at an early stage before implementation 

(b) systems modifications are formally approved and authorised 

(c) adequate plans are made for a change from one system to another 

(d) the implementation and application of new or revised systems and 
procedures is in accordance with plans 

(e) new or revised systems generally improve efficiency and meet user 
needs. 

33 Systems development controls include authorisation, project 
management, staged reporting, file conversion, testing, implementation 
and post implementation review. They are of particular importance in 
computer systems and are described in the Computer Audit Guidelines. 

PHYSICAL CONTROLS 

34 These controls are concerned mainly with the custody of assets and 
information. They involve procedures and security measures designed to 
ensure that access is limited to authorised personnel. This includes both 
direct access and indirect access through, for example, a computer 
terminal. 

35 Physical controls are important when there are valuable, portable , or 
other vulnerable assets or where assets or information are in some way 
sensitive. There are two main types: 

(a) restricted access - preventive controls covering such aspects as security 
of assets, information, sensitive areas and restrictions over payable 
order procedures. They include arrangements to prevent the misuse of 
assets whether by error or intent. 

(b) physical checks - detective controls whose validity depends on the 
separation of the holding and recording functions. Comparison of 
stocks with detailed stores records, for example, is not an effective 
control if the same storekeeper looks after the stocks and writes up the 
records. The effectiveness of such controls depends on the scope and 
frequency of checks. 



GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Systems auditing 



1 Introduction 

2 Ascertain and record 

3 Define control objectives 

4 Identify and evaluate controls 

5 Test controls 

6 Arrive at conclusions 



GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.1 



Introduction 



The task 

1 The primary task of an internal audit unit is to give assurance to the 
Accounting Officer on the department’s internal control system. The 
means of achieving this is described in A10. Each audit should be part of an 
audit plan, agreed by the Accounting Officer, designed to ensure that all 
parts of his department are audited at intervals appropriate to their 
importance as described in C3. 1 . Assurance may be given on individual 
systems as they are audited: this will increase, over time, to cover all of the 
department’s internal control system. 

2 The internal audit unit can increase assurance through successive audits 
in the review cycle. It will need to develop a strategy for achieving this even 
though individual systems may only be fully reviewed (say) once in the 
cycle. One way of achieving this is by periodically reviewing essential 
controls in appropriate systems. 

3 In giving assurance on the internal control system the internal audit unit 
will need to consider the effect of, and to audit, developing and shared 
systems (see C4.1 and 2). 

Auditing a system 

4 In a systems audit the main stages the auditor needs to follow are: 

ascertain and record (C2.2) - create a record of the system on which to 
base his audit 

define control objectives ( C2.3) - define the objectives which he thinks 
management should require controls within the system to achieve 

identify and evaluate controls ( C2.4) - seek to match the controls in the 
system to control objectives prior to testing 

test ( C2.5) - test the operation of the controls to establish if they can be 
relied upon 

arrive at conclusions ( C2.6) - assess what has been discovered during 
evaluation and testing to form an opinion on the adequacy of control. 

Documentation 

5 At each stage the auditor needs to record his appraisal or examination 
and its results. Some aspects of documentation are noted here but C3.2 
deals with documentation in detail. 

CHAM 0/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.1 



Management 

6 Each audit should be monitored, as determined by the Head of Internal 
Audit, to ensure achievement of plans and conformity with standards and 
procedures. 

Reporting and follow-up 

7 Audit findings and recommendations are reported within the internal 
audit unit and to the management of the area audited. In due course the 
report is followed up to see how the recommendations have been dealt 
with as described in C3.3. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C2.2 



Ascertain and record 



1 The systems to be audited will have been identified in the planning 
process described in C3.1. The auditor’s work assignment, incorporating 
his terms of reference, will have been drawn from the annual or short-term 
plan. 

Preliminary review 

2 Before starting to audit the auditor should satisfy himself that the 
assignment has been fully defined. If the assignment involves a function, 
for example personnel management, the auditor should define all the 
systems involved. He should identify the boundaries of the systems under 
review and where work interfaces with other audit assignments. Initial 
discussions with managers at appropriately senior levels provides much of 
this preliminary information. 

3 The auditor will normally consult his team leader to confirm his 
understanding of what needs to be done to satisfy his terms of reference. 

Detailed work specification 

4 Further preliminary work will be needed to specify in detail how to find 
out exactly what the system is. The auditor needs to define documentary 
sources such as statutes, regulations and work instructions. He needs to list 
people from whom information may be obtained. 

5 At this stage the examination of documentary sources should be 
restricted to summary and introductory material rather than that which 
details transactions and actions. 

Interviewing 

6 The primary means of ascertaining a system is by interviewing. Since 
the aim is to establish a complete record of how the system works in 
practice interviews are needed with all levels of staff. 

7 It is desirable to maintain a logical sequence in the flow of interviewing. 
Notes of each interview should be linked with other interviews in the chain, 
eg where one person’s work is supervised by another or a file or document 
is passed from one person to another. If notes are linked, the pattern of 
interviewing can be arranged to the interviewees’ convenience and 
minimise disruption of their work. 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.2 



8 During the interview, the auditor should record appropriate references 
to regulations and other work instructions so that he can refer to them 
afterwards. He should also collect blank copies of ail forms used and 
cross-reference them to the interview note. These will help him understand 
the system since they often contain references to regulations and show 
distribution and action routes. 

9 Drawing or writing a description of the system may show that parts of it 
have not been fully ascertained. If this happens the auditor needs to carry 
out more interviews till he has the complete picture. 

Recording the system 

10 Recording should be sufficiently detailed for the reader to understand 
how the system works and how the controls fit into it. Depending on audit 
objectives, this may involve detailed recording of a whole system or only of 
key areas in it. 

11 The recommended method of recording a system is flowcharting. 
Flowcharts allow the general layout of a system, and the sequence of steps 
in it, to be appreciated quickly. Normally, they detail the flow of 
documents and operations. Other methods can be used, such as narrative 
descriptions although these tend to be unwieldy. However, if well 
prepared, they can give a good idea of a system’s structure (see C3.2). 

Walk through tests 

12 Having recorded a system the auditor should ensure that his 
description is accurate. The simplest way to do this is to undertake “walk 
through” tests of the system involved. These tests simply confirm that the 
system works in practice as described. 

Second and subsequent audits 

13 The record produced during the initial audit review of a system should 
provide a basis for future audits. Auditors should maintain its accuracy at 
every subsequent audit by ascertaining and recording any changes. 
Substantial changes in systems should already have been reported to the 
internal audit unit, when they were being made, enabling the unit to then 
comment and review if necessary. 

14 Only when he has adequately ascertained and recorded a system can 
the auditor proceed to identify and evaluate controls. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C2.3 



Define contra! objectives 



1 Having recorded a system, the auditor’s next step is to decide what 
objectives need to be met by controls in it. He will later compare these with 
the controls he finds thus simplifying his task and helping to identify 
absences, weaknesses, duplications or excessive controls. 

Management’s objectives 

2 The auditor needs to know and understand management’s objectives 
for the system; that is what management want the system to do. This 
should include relative priorities between speed and accuracy of 
processing. Managers are concerned with how a system processes the work 
to be done as well as how well the processes are controlled. The auditor 
may find, however, that control features have been relatively neglected 
even though they are part of the manager’s responsibilities. 

The auditor’s definition 

3 The auditor will, therefore, define his own control objectives against 
which individual controls can be measured and evaluated. As control 
objectives are intended to reflect management’s needs they should give the 
auditor a comprehensive view of the control required and enable him to 
reach sound conclusions on the system under review. 

4 Different levels of control objectives will need to be identified because 
of the hierarchical structure of control. Each control objective should set a 
goal which might be satisfied either by the operation of a single control or a 
collection of controls. These control objectives should then aggregate to 
high level or key control objectives which will have been previously 
defined. 

5 Because the objectives will form a bench mark for evaluation the 
soundness of the auditor’s conclusions will depend on how well he has 
defined them. Success in defining control objectives depends critically on 
an auditor’s experience and judgement. It is most important that the 
auditor demonstrates that he has achieved this before he proceeds to 
evaluation. Four main factors affect the process: 

(a) the auditor’s knowledge of control generally and how it should operate 
in particular types of systems 

(b) an auditor’s knowledge of controls in that system arrived at during 
recording 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.3 



(c) the complexity and size of the system being audited 

(d) the environment in which the system operates. 

Application 

6 Taking account of these factors the auditor works through the record of 
a system. He decides what control ought to exist and reflects this by 
defining control objectives against which to measure the actual controls. 
For example, he will assess the relative importance of the various processes 
within the system and those most in need of control. Given this he 
determines what kind of controls should exist by drawing on his knowledge 
of types of controls. 

7 An external auditor often bases his audit on high level controls only 
since he is most concerned with the final outputs of systems. For instance, 
in looking at a bill paying system he may be satisfied with auditing a control 
which matches outputs to inputs. He would not usually be concerned with 
intermediate controls. On the other hand, the internal auditor is concerned 
with all of the internal control system and cannot limit his approach to high 
level controls alone. An internal auditor should define control objectives 
down to the level at which control ceases to be significant. 

Common objectives 

8 An experienced auditor will know some control objectives that a 
system should have before he has examined it. Indeed, he will need to 
make sure that they are not overlooked through familiarity. Many control 
objectives have common application, for example: 

(a) that all receivables are promptly and properly accounted for and 
recorded 

(b) that liabilities are set up only for properly authorised, ordered and 
received goods or services 

(c) that authorised payments are properly made to the correct person and 
at the correct time. 

Recording control objectives 

9 Using his record of the system, the auditor should progressively 
construct control objectives which he thinks should be satisfied in the 
system under review. Once he has defined control objectives the auditor 
constructs an Internal Control Questionnaire. Each control objective is 
supported by a question or series of questions which prompt the auditor to 
look for the relevant controls. These together will enable him to form a 
view during evaluation on whether (or not) the control objective has been 
met. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



Identify and evaluate controls 



C2.4 



1 At this stage the auditor focuses on the controls found when he 
recorded the system. These normally fall within the categories described in 
Cl. 2. He then evaluates the controls against his control objectives. His aim 
is to satisfy himself whether the existing controls achieve his control 
objectives. In doing this he will form an initial judgement from which he 
will develop his testing strategy. The auditor has no evidence that controls 
are working until they are tested. 



IDENTIFICATION 

2 The auditor should carefully examine his description of the system to 
separate controls from processes. As the controls found will be evaluated 
and tested the auditor has to consider how best to present all the 
information. He needs also to indicate points at which controls are seen to 
be missing. The auditor should take particular care to identify high level 
controls. Flow charts cannot be used directly to match controls to control 
objectives or to record the results of evaluation. The document designed to 
do this is an Internal Control Questionnaire. 

3 It is possible that, at this stage, audit documentation will contain minor 
inaccuracies about both the system and controls which were not detected in 
walk through testing. Such inaccuracies are normally identified and 
corrected during testing. 



Absent or inadequate controls 

4 If the controls relating to a particular objective are absent, or are 
judged by the auditor to be inadequate, management’s exposure to risk is 
revealed. The degree of importance attached to the risk will normally be 
governed by the importance of the system. The auditor should determine 
the significance of the exposure to risk and consider when he should report 
to management, 

5 He may decide that he cannot or does not need to proceed to test at this 
stage and he will therefore report accordingly. Where only an isolated 
control is absent or inadequate, the auditor may have no reason to doubt 
the soundness of the overall system; the weakness could therefore be left 
for later assessment. 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€2.4 



EVALUATION 

6 After identifying controls the auditor has to judge whether control 
objectives can or cannot be achieved. He therefore compares the controls 
he has identified with his control objectives. There will be one or more 
controls by which any one control objective may be satisfied. The auditor 
may therefore judge that although one control meets only part of an 
objective another control or controls combine with it to satisfy the control 
objective. If the auditor cannot confirm that controls achieve control 
objectives he will have identified a weakness. 

7 The auditor’s judgement must be adequately presented on his control 
evaluation record. This demonstrates that controls meet control objectives 
and there is sufficient evidence (later obtained by testing) that they are 
operating as intended. 

Control weaknesses 

8 An auditor always needs to consider whether there is any route by 
which controls could be avoided so that an objective would not be met. He 
should ask himself such basic questions as ‘What could go wrong?’, ‘Do the 
controls provide adequate safeguards against such a possibility?’ ‘If 
something did go wrong how would it be detected and corrected?’ etc. The 
auditor should consider how errors, or lost or duplicated items, could 
remain undetected, how unauthorised changes could be made, or how 
requirements for authorisation could be avoided. He is also concerned 
whether information that crosses the boundaries between systems is 
accurately and completely transferred. 

9 The auditor should ensure that controls fully meet their objectives. For 
example, in a grants system a control objective might be that ‘payments are 
substantiated periodically’. The auditor discovers that bank reconciliations 
are undertaken regularly and may conclude, as a result, that the objective 
is achieved. However, this is only part of the achievement, and he should 
also check that action is taken to investigate any discrepancies revealed by 
the reconciliation. The auditor may also believe that bank reconciliations 
are not enough to provide adequate control and that a further 
reconciliation (between payments and records of grants claimed) is 
required for the objective to be fully achieved. 

Compensating controls 

10 One control in a system may be so strong that it compensates for weak 
or non-existent controls. In his evaluation the auditor may discover 
duplicated, excessive or inappropriate controls. He may conclude that the 
same level of control could be achieved more cheaply or more simply. 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.4 



Sometimes controls which the auditor expects to find are missing. He 
needs to search for controls which compensate for this prima facie 
weakness. 

Common controls 

11 Some basic controls are common to many systems and the auditor may 
be able to make use of standard documentation in such circumstances. If 
audit assurance has been obtained from the evaluation and testing of a 
control in one system that assurance may be taken into account when 
reviewing other systems to which it is common. 

Results 

12 The auditor should conclude whether or not the controls can, in 
principle, be relied on and record this on the control evaluation record. 
This conclusion may sometimes be qualified, for example ‘the identified 
controls do not meet the control objectives but this weakness is acceptable 
because . . Inconclusive discussion of strengths and weaknesses should 
be avoided. 

13 If the auditor is satisfied that the controls meet the objectives he will 
start compliance testing. If, however, the auditor concludes that a control 
is inadequate there is no point in undertaking compliance testing although 
he may decide to do some substantive testing to obtain further evidence. 
His course of action will depend on how serious the weakness is. He may 
decide to present an interim report. If, however, the weakness seems 
unimportant he may decide to deal with it when he is arriving at his 
conclusions. 



CRAM 9/H3 

Printed image digitised by the University of Southampton Library Digitisation Unit 



€2.5 



Test a m trols 



Types of tests 

Walk through 

Compliance 

Substantive 

Testing strategy 

Objectives of testing 
Risk and materiality 
Yardsticks 

Period of examination 

Level 

Sequence 

Appraising the results 
Techniques of examination 
Recording test results 



GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.5 



1 The auditor’s conclusions on controls, arrived at following his 
evaluation, must be supported by relevant, reliable and sufficient audit 
evidence (B6). Doubt about the soundness of audit opinion calls into 
question the credibility of the auditor and the value of the audit is 
undermined. It is therefore crucial to demonstrate that the auditor’s 
judgements have a sound, rational basis. 

2 The internal auditor uses testing to form or corroborate his opinion 
about the adequacy or otherwise of the system of controls. He does this by 
measuring particular characteristics of selected transactions or processes 
and comparing the results with those he expected. 



Computer assisted audit techniques (CAATs) 

3 The computer is an increasingly valuable tool for carrying out tests on 
computerised systems, especially where large populations or complicated 
procedures are involved. CAATs allow sizeable volumes of data to be 
tested quickly, economically and accurately. They are described in detail in 
the Computer Audit Guidelines. 



TYPES OF TESTS 

4 Testing is appropriate in two stages of a systems audit: 

ascertain and record- the auditor confirms his understanding of how 
the system operates. Tests at this stage are known as ‘walk through’ or 
‘cradle to grave’ tests. 

evaluation of controls - the auditor tests the controls which, he has 
concluded, will help achieve his control objective. In compliance 
testing, the auditor is confirming his evaluation and obtaining audit 
evidence that a control which he has judged to be adequate is effective 
and consistently applied in practice. Substantive (or weakness) tests are 
applied to test the effect of a weakness he has detected. 

Walk through 

5 ‘Walk through’ or ‘cradle to grave’ tests are designed to confirm the 
auditor’s understanding of how a system operates. As described in C2.2, an 
auditor’s initial understanding of a system is likely to be derived from a 
combination of observation , interviews and examination of management’s 
documentation of the system. However, systems do not always in practice 
operate as prescribed and so the auditor must confirm his understanding of 
how the system actually operates. 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.5 



6 To do this the auditor takes some representative transactions and 
‘walks them through 5 the system from start to finish. For example, in a 
payments system the trail could be: 

(a) authorisation 

(b) clerical verification 

(c) data preparation (for computerised systems) 

(d) computer validation (including procedures for investigating and 
resubmitting rejections) 

(e) computation of payments 

(f) preparation and despatch of the payable order 

(g) reconciliation processes 

(h) bringing the transaction to account 

7 It is necessary to walk through again in later audits of a system, 
especially if significant changes are believed to have occurred. 



Compliance 

8 When the auditor considers that an internal control is adequate and will 
contribute to the achievement of a control objective he proceeds to 
determine whether the control is effectively and consistently applied. If the 
effectiveness of the control is likely to vary, for example when different 
staff are responsible for operating the control, the auditor should ensure 
that the sample selected for testing takes account, as far as practicable, of 
such variations. 

9 A failure to satisfy compliance tests indicates the possibility of error: it 
does not demonstrate positively that error exists. For example, if there is a 
control that all invoices are to be checked before payment for authorising 
signature, and ticked to show that the check has been performed, the 
discovery of an unticked invoice does not necessarily indicate that the 
check was not performed nor that the invoice is invalid. Where errors are 
detected, the auditor is primarily concerned with what he can infer from 
them about the effectiveness of the relevant controls, rather than the errors 
themselves. 

Substantive 

10 Substantive testing has only a limited role to play in systems auditing. 

If an internal auditor detects a weakness and is unable to convince 
management of its existence or seriousness by other means, he may decide 
to try to demonstrate the point by substantive testing. This involves testing 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



€2.5 



actual transactions or balances in the period under review to gain audit 
evidence of their completeness, accuracy or validity. 

11 The temptation is to do too much substantive testing in order to find a 
number of examples: this is costly and time consuming. One way of 
limiting such testing and its cost is by relying on sampling techniques but 
even the most sophisticated techniques will only reveal error or irregularity 
in the population tested. The items tested may have been correct in spite of 
control weakness. 

12 The auditor should bear in mind that substantive testing may not 
produce any evidence on the operation of controls. It should only be used 
when essential. 



TESTING STRATEGY 



Objectives of testing 

13 The auditor should decide what to test, what each test is for and how 
to test. Each test should be expected to lead to or corroborate an audit 
opinion. 



Risk and materiality 

14 In judging how to deploy his testing effort, the auditor’s main 
consideration should be the risk to which the department is exposed. The 
need for control is inextricably linked with exposure to risk and the 
seriousness of risk is generally measured in terms of materiality. 
Materiality is not confined to monetary value: it includes other 
considerations such as disruption of the smooth running of business, 
embarrassment to Ministers or loss of goodwill. Risk and materiality are 
discussed more fully in C4.5. 



Yardsticks 

15 It is essential to establish measurable criteria with which to compare 
the results of testing. For example, an instruction that all invoices are to be 
signed, and ticked to indicate that the authenticity of the signature has 
been independently verified, gives the auditor an explicit standard with 
which to compare his test results. Sometimes standards are not so precise 
and the auditor may need to agree with line management the objective and 
features of the controls to be tested. The absence of a measurable standard 
for the performance of control means that the testing of it is pointless. 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.5 



Period of examination 

16 Tests should normally be biased towards the current period. If 
changes in operating conditions are likely to affect how controls operate, 
for example the performance of particular staff or pressure at particular 
times, the auditor should ensure that this is taken into account in selecting 
the transactions to be examined so that his findings are reasonably 
representative. With high risk systems he may need to test key controls 
again in the interval between the next full audit in order to maintain 
assurance. 

Level 

17 There can be no hard and fast rules about the amount of testing except 
that auditors should aim for the minimum necessary to achieve the 
objective. The cost of testing an entire population is usually prohibitive. 
The auditor may use sampling to select items to test as described in C4.4. 

Sequence 

18 The order in which tests are performed depends on the audit 
objectives and on how far controls inter-relate. Output from one test often 
provides input to another. For example, in auditing a payroll system it 
might be considered important to test that all new entrants are authorised 
and put on the correct point of the pay scale. The authorisation test should 
provide successful items from which the auditor might select a sample on 
which to perform the pay scale test. 

19 Where controls inter-relate it is important to co-ordinate testing 
especially where the work is shared between auditors. Uncoordinated tests 
can be wasteful and may not achieve the testing objective. 

20 The auditor must take account of all relevant factors. These include: 

(a) the testing objective - generally speaking when the auditor is testing for 
compliance with controls or is looking for evidence of a suspected 
weakness the volume of testing tends to be limited; on the other hand 
when he is attempting to quantify the impact of a weakness testing 
tends to be more extensive 

(b) the relative importance of individual controls - key controls warrant 
more attention than minor or supporting controls 

(c) the size of the population - the level of testing would tend to vary with 
the size of the population if the aim is to achieve similar levels of 
assurance about different controls 

(d) the time available - this tends, in practice, to be the principal limiting 
factor and emphasizes the importance of optimising the testing effort. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C2.5 



Appraising the results 

21 During testing, there needs to be a continuing appraisal of the results 
so that the auditor can decide whether to change the testing strategy which 
should be appropriately flexible. For example, when the auditor performs 
compliance tests on a control and finds some non-compliance, he must 
decide whether to continue to rely on that control, and if not how his 
earlier evaluation is affected. The following are some of the questions he 
should consider: 

(a) how important is the control? 

(b) are there compensating or complementary controls which reduce its 
intrinsic importance? 

(c) how serious are the deviations and why did they occur? 

(d) is any control failure likely to be isolated or recurring? 

(e) is further testing (to confirm his opinion) necessary or feasible? 

(f) whether any weakness is so serious that management needs to be 
informed immediately. 

22 The conclusive appraisal takes place when all tests have been 
completed and the results summarised and analysed. The auditor must 
decide: 

(a) whether the testing objective has been achieved 

(b) what conclusions can be drawn 

(c) whether the findings show serious or minor weaknesses 

(d) the cause of weakness and what corrective options are available 

23 What is required is an intelligent appraisal of testing results. The 
auditor is not simply keeping a score of errors found. He is concerned with 
the causes of any weaknesses in control, their effects and appropriate 
remedies. 

TECHNIQUES OF EXAMINATION 

24 When the auditor has selected the items he is going to test they need to 
be examined and the test performed. The following paragraphs describe 
the principal techniques for examining transactions or processes. 

Observation 

25 This is particularly important where no physical evidence remains of 
an action having taken place. For example, discreet observation by the 
auditor can reveal whether there is improper access to a restricted 
computer area despite stringent formal controls. 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.5 



Inquiry 

26 This is useful when tangible evidence is lacking or to get such evidence 
explained. Care should be taken because the attitude and approach of the 
auditor affects whether the auditee is forthcoming or defensively silent. 

Analysis 

27 Where a transaction or process comprises a set of inter-related parts , 
the auditor may need to analyse and verify each part before he can form a 
judgement about the whole. This is illustrated in contract auditing, where 
the soundness of the contract itself depends on the nature and inter- 
relationship of its individual terms and conditions. 

Verification 

28 This involves an auditor independently confirming something he is 
testing. It embraces methods of establishing the truth, accuracy or validity 
by such means as: 

(a) comparision - with some ascertainable fact or standard, for example 
establishing the validity of an invoice by comparing the authorising 
signature with a specimen 

(b) confirmation - for example corroborating that an order went to the 
right person by a statement from the latter to that effect 

(c) reperformance - this is particularly relevant where calculations or 
measurements have been supposedly checked as a control and the 
auditor wishes to check that the control actually operated. For 
example, there might be a control that two per cent of overtime 
payments over £50 are checked to source documents for validity and 
accuracy of computation. The auditor may wish to reperform the check 
on a sample of that two per cent. This test does not establish that the 
control was observed in all cases but could detect errors and thus has a 
deterrent value 

(d) vouching - checking a transaction against supporting documentation, 
for example, a payment to a supplier against corresponding order, 
goods received note etc. 



RECORDING TEST RESULTS 

29 Adequate documentation of the testing undertaken is important for 
the auditor to show how he has arrived at conclusions. For each test this 
should include: 

(a) testing objectives 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



(b) detail of the nature and extent of tests including any method used to 
determine the size and selection of the samples 

(c) incidence of error found and its implications 

(d) cause of weakness in control 

(e) corrective action recommended 

30 The tests planned and the results of tests undertaken should be 
recorded in the audit programme and the audit test record (see C3.2). 
Supporting working papers including, where appropriate, copies of 
relevant documents should be clearly cross-referenced. 



GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



Arrive at conclusions 



C2.6 



1 This is the stage of a systems audit where the auditor considers the 
results of his work and arrives at conclusions prior to reporting within the 
unit and to the management of the area audited. The auditor will have 
arrived at conclusions during evaluation and testing. He now reviews these 
in the light of the terms of reference for the audit assignment. 

Audit opinion 

2 In arriving at his opinion the auditor should be satisfied that he is able 
to judge whether: 

(a) the controls he has evaluated are reliable 

(b) testing has shown them to be operating in practice 

(c) he has sufficient, relevant and reliable evidence to report that the 
Accounting Officer can (or cannot) be given assurance on the systems 
reviewed in the audit assignment. 

3 In arriving at his opinion the auditor should consider: 

(a) any control weaknesses identified during evaluation and/or testing 

(b) any duplicated, excessive or inappropriate controls 

(c) controls which are not being operated 

(d) the materiality of the weaknesses 

(e) the risks which arise from identified weaknesses 

(f) the effect of compensating controls 

(g) the consequence of over-control 

(h) the overall effect of (a) - (g) 

4 If the auditor is not satisfied that he is able adequately to form or 
support his opinion he should consider whether and what further testing is 
necessary. The auditor may need to consider whether it is necessary to 
carry out substantive testing to convince management of the existence of 
(or seriousness of) weakness as discussed in C2.5. Audit management 
should be consulted and involved in determining the need for and extent of 
significant further tests. 

Recommendations 

5 The auditor’s good judgement is of paramount importance in 
interpreting and presenting audit results and in making appropriate 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C2.6 



recommendations. He is concerned not only to arrive at conclusions but 
also to convince management of the need to act upon them. The auditor 
should make clear the risks to which management is exposed by 
weaknesses in controls or their operation. He should bear in mind that 
over-control is expensive. 

6 Having arrived at his conclusions, and discussed them with auditees, 
the auditor should determine the recommendations he will make to 
management. These should indicate: 

(a) new or alternative controls to correct or mitigate weaknesses 

(b) adequate controls which are not operating correctly 

(c) unnecessary controls. 

7 Whenever possible, recommendations should be agreed with auditees, 
but it is not the auditor’s responsibility to detail corrective action nor 
should he be involved in its implementation or operation. However, having 
detected a weakness, he should be prepared to advise management 
thereon. The auditor should subsequently ascertain the action taken as a 
result of his recommendations. 

Reporting 

8 Audit reporting is dealt with in C3 . 3 . 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



Control of audit 



1 Audit planning 

2 Audit documentation 

3 Audit reporting 

4 Audit management 



GIAM 12/83 (amended) 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.I 



j mdit I ' lanning 



Introduction 

ASSESSMENT OF AUDIT NEED *A 
Consideration of systems 
Time factors 

OPERATIONAL PLANS 
Long-term plan *B 
Short-term plan *C 
Audit work plan *D 

REVIEW OF PLANS 



The audit planning process: Appendix 1 



GIAM 12/83 



^examples follow the text 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Introduction 

1 This chapter deals with the audit planning process and gives guidance 
on how to assess audit need and prepare operational plans. Appendix 1 
shows the stages involved and their inter-relationship. Some illustrations 
of planning documentation are given as examples but these are not 
intended to prescribe any style or format. 

2 Planning is the first element of management without which the others 
lack purpose and direction. It is concerned with the achievement of 
objectives by the allocation of resources to perform tasks within time 
parameters. It involves judgements on what should be audited, how 
frequently and in what priority. This requires detailed knowledge of the 
department’s activities. 

3 The advantages derived from the planning process include: 

(a) a clear view of the work load of the internal audit unit 

(b) a base for assessing the adequacy and future deployment of audit 
resources 

(c) a yardstick against which actual performance can be measured 

(d) authority to act once approved by senior management 

(e) a permanent record of the factors considered and the judgements 
made. 

4 The planning process should start with a clear view of the level of 
assurance required by the Accounting Officer. He may feel that he is only 
able to make this judgement once advised of the department’s audit need. 
The standards for assessing audit need are outlined in B5.7-10. The main 
points are: 

(a) the initial assessment should not be limited by constraints such as 
time or available resources 

(b) there should be a complete reassessment at least every five years 

(c) there should be a continuous review to take account of changes in 
the work or organisation of the department or the implications of 
audit results. 

ASSESSMENT OF AUDIT NEED (Example A) 

5 Audit need can be defined as the priority and frequency with which 
each of the systems in a department should be audited and the resources 
needed to audit each system. The Head of Internal Audit’s judgements 
on priority will rely heavily on assessments of risk and materiality of 
individual systems and their importance in the internal control system. In 
many cases the reason that makes a system a high priority for audit will 
also make it a candidate for frequent audit. 

CI AM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.1 



6 Any other work which can be identified at this stage, such as work 
for NDPB’s or special reviews, should be added to the needs assessment. 

7 When assessing audit need the Head of Internal Audit must have a 
clear view of his objective and how he intends to achieve it. He should 
remember that the objective is to assess on behalf of the Accounting 
Officer the internal control system which covers the whole range of a 
department’s activities and consider; 

(a) which systems should be audited, and in what order, to cover the 
whole internal control system 

(b) to what extent will each system require a first audit, further audits 
within the cycle, interim work and monitoring of systems changes (see 
paragraph 11) 

(c) how many direct man days are likely to be required to do (b). 

8 The following check list is a guide to the stages in assessing the audit 
need (items a~e) and resource implications (items f-i). 

(a) identify all systems within each area of the department 

(b) identify interfaces between systems (see paragraphs 9-10) 

(c) rank systems based on risk and materiality 

(d) decide the length of the audit cycle over which the assurance should 
be given to the Accounting Officer 

(e) decide the frequency of each audit and any interim testing strategy 
(see paragraph 11) 

(f) assess the basic direct time (excluding supervision and management) 
needed to audit each system, including any interim testing, throughout 
the audit cycle (see paragraphs 12-14) 

(g) convert (e) and (f) into a resource requirement over the full period of 
the audit cycle 

(h) include a factor for contingencies such as new duties arising from 
changes in the work or organisation of the department, and other 
internal audit work such as peer reviews of other internal audit units, 
reseach and development etc. The contingency should be separately 
identified for control purposes. 

(i) add a factor of direct time for supervisors and managers (see para- 
graphs 15-16). 

Consideration of systems 

9 The Head of Internal Audit needs to examine interfaces between 
systems to identify the extent to which assurance about one system (or 
part of it) can automatically be obtained from the audit of another system. 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



For example, in a computer installation audit of the general controls over 
input can provide assurance for all applications going through the process. 
From this he can decide the most efficient and effective mix of audits to 
obtain the degree of assurance required by the Accounting Officer. 

10 To examine these interfaces he should sort systems roughly into types 
and prepare a matrix to show the areas of overlap, as illustrated in 
Example A 1 between systems for: 

(a) monitoring — management information and accounting systems, such 
as budgetary and manpower control systems, are likely to cover all 
parts of a department. They provide tools to a hierarchy of manage- 
ment within any one part of the department. Potentially, assurance 
provided by audit on these systems will reduce the effort needed to 
audit the local systems in any one area. If the department is relying 
on such systems as primary tools they should be priority systems in 
the audit plan. 

(b) service — administrative support systems such as payroll, bill paying 
etc. These, too, are common systems and are likely to score high in 
assessments of risk and materiality. 

(c) review — agencies (such as staff inspection or management services) 
which review systems. These reviews are usually of individual areas 
of a department and thus cannot be relied upon to give any assurance 
about other areas. The agencies themselves are subject to internal 
audit and should be considered in assessing audit need. 

(d) operational — systems for carrying out the business of the department. 
The work necessary to audit these systems is likely to be reduced by 
assurance provided from audits of other systems with only residual 
assurance required on the operational system itself. 

11 There are no rules about how often a system should be audited nor 
on how much testing (if any) is required between system reviews. The 
Head of Internal Audit must decide the level of audit activity he considers 
to be necessary to enable him to give assurance over the audit cycle. His 
decision will be influenced by risk and materiality, the complexity of a 
system, how often it is changed, the existence of higher level controls and 
past evidence. 



Time factors 

12 Staff time available for audit assignments should be assessed as 
illustrated in Example A2. This should be based on anticipated perform- 
ance and competence of audit staff. Untrained or inexperienced staff will 
take longer to perform tasks. 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.1 



13 Basic direct time is the time spent on an audit excluding supervision 
and management. It should include all stages of an audit such as collecting 
background data, preparing the audit plan, fact finding, documenting, 
testing, preparing reports, discussing audit findings, follow up and moni- 
toring of systems changes. It should be analysed to reflect the need for 
specialist skills (such as computer auditors, accountants etc) and to show 
where the audit requires the expertise of a higher grade auditor. 

14 Other work (see paragraph 6) will have to be assessed for basic direct 
time. The extent of agency work should have been agreed on the basis of 
an assessment of audit need. Special reviews required by the Accounting 
Officer will have been individually assessed for their resource implications. 

15 The direct time need from supervisors and managers should be 
calculated as a proportion of basic direct time. This factor implies a 
structure of command within the unit (eg 20 per cent represents a ratio of 
1:5, 33 per cent represents 1:3). In determining these proportions the HIA 
must have regard to established grading standards, the range and complex- 
ity of the audits, the geographical spread of the department and the 
anticipated calibre of the auditors. 

16 Untrained/inexperienced staff need more supervision. Applying the 
ratios described in the previous paragraph will increase the amount of 
supervision available (reflecting the extra basic direct time allowed for 
each audit). The HIA must consider whether this increase is adequate or 
whether he needs also to increase the factor he applies. 

17 Example A3 illustrates how to calculate a divisor to convert direct 
time into staff numbers for an individual auditor of each grade and type. 
Basic direct time is provided by a mix of auditors, specialists, trainees 
and assistants. 

18 The resource implications of the audit need must be compared with 
available resources. A serious apparent mismatch should be reported to 
senior management for resolution. The result of this process will be the 
agreed audit need. 



OPERATIONAL PLANS 

19 In the light of the needs assessment (and priorities within it) the HIA 
must prepare operational plans which should include: 

(a) a long-term plan — a strategy for 2 to 5 years depending upon the 
length of the audit cycle. It should set out audit objectives, areas to 
be covered and frequency of cover reconciled with expected resources. 

OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€3.1 



(b) short-term plans — a programme of audits to be carried out in the 
coming year or shorter period. It should define the purpose of 
individual audits and allocate staff. 

(c) audit work plans — a plan prepared for each audit as it is arranged. 



Long-term plan (Example B) 

20 The long-term plan is derived from the agreed audit need. It should 
be reviewed and rolled forward at least annually and approved by the 
Accounting Officer. 

21 The task is to allocate the audits identified in the needs assessment 
to specific years in the audit cycle. The following factors influence the 
process: 

Resource — the resources expected to be available each year 

Annual tasks — annual tasks identified in the needs assessment will be 
the first charge against each year’s available resources 

Contingency — there should be a contingency element in each year of the 
plan consistent with the overall contingency in the needs assessment 

Priority — as a general rule systems with the highest priority should be 
scheduled as early as possible in the timetable within the available annual 
resources. 

Frequency — has already been considered in the needs assessment and 
determines in which years a system should be audited after the first. 

Locations — the HIA needs to identify locations, and the systems used at 
each, and the appropriate element of the audit needs assessment. He may 
decide on an annual allocation of resources to each location in priority 
i order, or he may decide to group the audits at a particular location 
around the time of a major audit at it. 

Centralised systems — his approach should reflect the extent to which 
systems are centrally prescribed or within delegated authority. This applies 
particularly in the case of a network of offices operating a common 
system. Audit visits may be necessary only to test management’s hierarchy 
of control. 

Logistics — there may be good reasons why certain audits should be done 
(or should not be done) within a short time of each other. There may 
also be certain audits which require specialist staff and the allocation of 
these to any year should be consistent with the specialist staff available in 
it. This factor becomes more critical in short-term plans. 

Q1AM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€3.1 



Short-term plan (Example C) 

22 In translating the long-term plan for the year ahead into the more 
detailed plan of assignments care needs to be taken to make sure that any 
new developments are taken into account. For example: 

(a) have there been any changes in the department’s activities which. have 
not been reflected in the needs /long-term plan? 

(b) has anything happened to affect the original assessment of risk and 
priority? 

(c) are the original assessments of strategy and resources needed still 
valid? 

(d) are the staff available now more/less experienced than anticipated? 

(e) has there been any slippage in previous short-term plans which must 
now be rescheduled, either into this short-term plan or the long-term 
plan? 

This re-appraisal should be reflected in the annual re-appraisal of the 
long-term plan. 

23 The following stages are involved in drawing up the short-term plan: 

(a) allocate resources available over the planning period on a weekly 
basis. This involves identifying known absences, expected changes in 
staff and other commitments 

(b) based on the re-appraisal in paragraph 22, select the appropriate 
audits from the long-term plan, consistent with the balance of available 
resource 

(c) decide the period over which each audit will be done 

(d) identify the man weeks, in direct time, needed for each audit 

(e) allocate audits to weeks in the plan ensuring that there are no 
inconsistencies. It is important to consider whether any audit must/ 
must not be done at specific times. 

(f) keep performance against the plan under constant review and revise 
the plan when slippages cannot be avoided. 

24 The Head of Internal Audit should consider the strengths and weak- 
nesses of the staff available and contain the amount of audit work to 
allow for the need to develop and train his staff. 

25 In a large internal audit unit audit managers /team leaders may be 
responsible for specific blocks of audits— -either by function, location or 
programme. In such circumstances the preparation of the short-term plan 
may be delegated to them but the Head of Internal Audit remains 
responsible for the adequacy and consistency of the plans. 

CHAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Audit work plan (Example D) 

26 This is the detailed plan for the direction and control of an audit. Its 
purpose is to set out, for agreement between Head of Internal Audit or 
his delegate and the team leader/auditor, the objectives scope and conduct 
of the audit. 

27 The timing and resources should be taken from the short-term plan. 
There should be a preliminary review to understand fully the area to be 
audited. It will include reference to line management, previous audit 
reports and other relevant data. It should provide a base for preparing 
the work plan which should show: 

(a) the objectives of the audit 

(b) the extent of coverage, and areas to be given emphasis, with reasons 
eg poor internal control, high risk, significant materiality 

(c) target dates for completion of each stage of the work 

(d) the individuals to be deployed and responsible for the conduct of the 
audit. Any variation from resources included in the short-term plan 
should be noted at this stage. 

REVIEW OF PLANS 

28 Planning is a dynamic process. New systems, more up-to-date infor- 
mation and other developments will cause the Head of Internal Audit to 
reconsider his assessments of need, priority and resources. These changes 
have to be catered for by changes to short-term plans. They must also be 
considered for their impact on the long-term strategy, the audit need and 
resources. 



01 AM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€3.1 

Appendix 1 



THE AUDIT PLANNING PROCESS 




GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



01 AM 12/83 



ASSESSMENT OF AUDIT NEED AT 



19 



• * 



System 


First Audit 


Further Audits 


Interim Test* 


TeUl 


TYPE OF AUDITOR 


Aud it 

NO. 


Description 


Matrix Ret 


Risk Ref 


Oays 


No 


Days 


No 


Days 


Man 

Days 


A 


8 


C 


0 






























Systems Aud*ts 
Qliw Work (Specify) 

Contingency 

Audit NmkS Direct Time) 


Total 




















Total 





















Key to staff types — see A2. 
Staff numbers — see A2. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.1 Example A 



GIAM 12/83 



DIVISION OF SYSTEMS 



Common Systems Operational Systems 


wA 


Monitoring 


















































































































































































































































































Servi ce 












































V 


















































































































































- 




















































































Review 





















































































































































































































































































Printed image digitised by the University of Southampton Library Digitisation Unit 



C $.1 Example A1 



AM 12/83 



Type of Auditor 



A A&sistant/Trainee 



8 Auditor 



C Specialist 



D Senior 



Totals 



Divisor for Grade 



Numbers for Grade 



Bask Direct 
Time 



A 

B 

C 



A 

B 

C 



A 

B 

C 



Supervisory 
Factor % 




Seniors Direct 
Time 

D 




This converts basic direct time to staffing need. 



Basic direct time — see A. Divisor — see A3. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.1 Ex-ample A2 



C3.1 Example A3 



A 

Ass istant/ 
Trainee- 


8 

Auditor 


C 

Specialist 


D 

Sentor 


E 

Manager 


Maximum working days p.a 
Less ; 

Annual leave 
Public holidays 
Sick leave (estimate) 
Training/Study leave 
ExamsfRevisioo leave 










Net attendance days p.a 

Leas indirect time 
le. Administration 










Direct time pa 
X Years in audit cycle 










Divisor 











This converts direct time into staff numbers. 

The Ready reckoner for Staff and other Costs gives some guidance on 
the calculation of net attendance days but the training element from 
auditors, particularly trainees, will be different. 

Indirect time will vary but is likely to be much greater for senior staff. 



OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 12/83 



LONG TERM PLAN FOR THE PERIOD . (extract) 



Ao < iit 
Ho 



V** 

2/34 

3/8+ 

1/65 



O^fccHptioo 



*U£ 

Auffct 

N*«d 



n*us 

The above examples illustrate how 
to record the following audits 



t/84-A System to he audited 

annually with no interim testing. 



2/84- An audit to be started 
but not competed in one year. 



3/64 - Compliance testing 
between audits 



1/S5 "" The first audit of year 2. 



Man days should be in baste direct 
tirn*. The total should agree with 
the audit needs assessment. 



YEAR1 



First 

Audit 



y 

y 

y 



Further 

Audfta 



Interim 

T*Stt 



Total 

Man 

D»ys * 
r«*r 



Contingency 
Totai(&aSrC Direct Time) 



ANALYSIS OP KAN DAYS BY TYPF 



YEAR 2 



First 

AlKlit 



y 



y 



Further 



y 



Interim. 

Testa 



y 



Total 

M»n 
D *y» m 
Year 



ANALYSIS OF WAN DAYS BY TYPt 



YEAR 3 
Onwards 



Contingency 
Total (Basic Direct Time) 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.1 Example 8 



GIAM 12/83 



SHORT-TERM PLAN FOR THE PERIOD 



(extract) 



Staffing 

Name of Auditor 



Week No 


























i 


2 


3 


4- 


S 


S 


7 


8 


9 


10 


11 


n 


13 


1+ 


15 



Direct time expected 



Tots! 



Allocation to Audits 

Audit Description 
No 



Contingency 



Direct time allocated 



Total 



The plan can show elapsed time for an audit as well as man days allocated. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.1 Example C 



C3.1 Example D 



AUDIT WORK PLAN 




The work plan may also note audit scope, areas of high interest, approach, 
techniques to be used and problem areas. It may be referenced to working 
papers. 

The team leader and/or manager may sign the plan on final review. 

OlAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



Audit Documentation 



Introduction 
PRINCIPLES 
PRACTICE 
Systems record 
Flowcharts 

Narrative descriptions 
Organisation charts 
Internal control questionnaires *A 
List of systems recorded 
Systems review record 
Record of system weaknesses *B 
Control evaluation record *C 
Audit programme *D 
Audit test record *E 
Question and answer record 
Notes of meetings and interviews 
Post-audit summary 
AUDIT FILES 

* examples follow the text 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



Introduction 

1 This chapter outlines the principles and practice of audit 
documentation from the start of a systems audit to post audit discussion. 
Documentation for audit planning, including the work plan which is the 
starting point for the audit, is described in C3.1. Some illustrations of 
forms are given but these are not intended to prescribe any style or format. 
The Head of Internal Audit is responsible for specifying standards of audit 
documentation and should satisfy himself that they are maintained (B5.26). 

2 Documentation is a means of communication within an internal audit 
unit and between the unit and others. It also provides evidence of work 
performed and of the findings which support audit conclusions and 
recommendations. Adequate cross-referencing and indexing is vital if 
documentation is to be accessible and thus be an efficient tool for the 
auditor. 

3 Audit documentation should: 

(a) record the objectives and scope of the audit and audit activity. This 
provides an indication of what needs to be done on the audit and gives 
a standard by which audit achievement may be measured. 

(b) encourage a methodical approach to work and help the auditor organise 
his work. Well organised paper work imposes a discipline and provides 
a framework of guidance within which auditors can function more 
effectively. It helps to guard against loose ends or incomplete work. 
Good documentation aids good judgement by assisting logical thought 
and work processes without limiting perspective or innovation. 

(c) support the conclusions reached by the auditor. Auditors need 
documentary evidence to deal with any query or challege to audit 
findings which might arise after the audit. A clear record is essential if 
the auditor is to answer effectively. 

(d) enable audit supervisors and managers to review the adequacy and 
standard of work. Supervisory and management review, peer review 
and external auditor’s evaluation are all part of the control process 
which provides assurance on the scope, completeness and quality of 
work. Such reviews can be effective and complete only if the 
documented evidence of activity is satisfactory. 

(e) provide information for further audits. Clear and complete 
documentation of earlier audits enables successive audits to build up 
information on problems and develop audit coverage. 

PRINCIPLES 

4 The size of the internal audit unit and nature of the department 

GIAM 0/H3 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



influence the type and volume of audit documentation. However, the 
following general principles should be regarded as the minimum necessary 
to achieve an adequate standard. 

Consistency and standardisation 

5 Within any internal audit unit there should be consistent use of audit 
documentation (B5.28). Departmental audit manuals, or other written 
means, should set out instructions on the format, practice and procedures 
relating to internal audit documentation. Standardisation aids clear 
understanding and continuity, improves the efficiency of preparation and 
review, and aids delegation of work. 

Accuracy and timing 

6 Failure to keep accurate audit records would seriously impair the value 
of the audit and the objectives set out above would not be met. The records 
should show precisely what was done, what conclusions were reached and 
why, and how this achieved the audit objectives. Working papers should be 
prepared as each audit proceeds (B5.27). 

Clarity and conciseness 

7 Wording and format should be such that the reader will be in no doubt 
about meaning and will easily assimilate information. 

Completeness 

8 Papers should be sufficiently detailed to show the course of action from 
start to finish so that each step in the audit can be identified and the 
reasoning understood, but not so detailed that the message is obscured. 

Authorship and supervision 

9 The originator and date of origin of each audit document should be 
stated on it; space should also be provided on it for recording supervisory 
review. 

Arrangement of papers 

10 The audit papers should enable the logical process of thought or action 
to be followed and may sequentially follow the audit plan or programme. 
Sequential numbering to indicate chronology may be convenient even if 
not in the most logical order: the review of systems may be carried out in a 
convenient although not necessarily consecutive sequence. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C3.2 



Review 

11 After each audit the documentation should be reviewed by the 
supervising auditor and the review clearly recorded (B5.21). He should 
ensure that there are no loose ends, that documentation conforms with the 
unit’s instructions and that the record of audit evidence supports opinions 
and conclusions. A test of the adequacy of documentation is whether an 
experienced auditor, on the basis of only a review of the file, would reach 
the same conclusions. 

PRACTICE 

12 Paragraphs 14-55 describe the basic documents an auditor needs to 
prepare during an audit. Paragraphs 56-62 describe the files they may be 
kept in. Some related aspects of recording are also briefly discussed in C2 
which describes the stages of a systems audit. 

13 Auditors need to take special care about the confidentiality and 
security of documentation and ensure that they are maintained. 
Departmental procedures for privacy marking, custody and despatch apply 
to audit. ‘Audit - in confidence’ or ‘Management - in confidence’ are two 
commonly used privacy markings. The former may be preferred if wide 
circulation is not appropriate. Where documents are copied from files they 
should be controlled in strict accordance with any original privacy or 
security classification. 

Systems record 

14 Recording systems and controls is an important element in the initial 
stages of a systems audit. The record of systems forms the basis of the 
auditor’s judgements, conclusions and recommendations. The auditor 
should decide which technique or combination of techniques for recording 
systems will best suit his purpose. 

15 Existing documentation of systems such as operating manuals, job 
instructions and procedural instructions may be adequate for the auditor’s 
purposes. However it should be borne in mind that the aim of the internal 
auditor is to record the system as it operates rather than as management 
have instructed that it should operate; this is an essential part of his 
evaluation. The management record of the system, in whatever form, may 
not identify control points. 

16 It is important that all types of procedures and transactions covered by 
the system under review are ascertained and recorded. This should include 
deviations arising from circumstances such as holidays, staff absences, 
unusual hours or machine failure etc. 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



17 It is vital that the method of recording a system should provide a good 
basis for the evaluation of the strengths and weaknesses in internal control. 
The auditor should not include matter with no audit significance since 
recording is a time-consuming activity. 

18 A system should be recorded only after adequate fact finding by 
observation, interview and consideration of documents and records used in 
the system. When considering a given system, auditors may find some 
procedures that are un-recorded, some partly recorded and/or some which 
are out of date. When adequate, copies of standard documentation and 
significant reports or summaries may form part of the audit record. When 
clarity is not jeopardised an existing record of a system may be amended. 
The dates of such amendments should be recorded. 

19 It is essential to note the name of the auditor who prepared the system 
record and when he did so. This will identify when the system was as 
described. The controls should be highlighted. Individual reference 
numbers or codes are usually helpful in identifying the control to which an 
evaluation or test refers. It may also be convenient to provide space on the 
document for cross-referencing controls to evaluation forms or records of 
system weaknesses. 

20 When a common system has already been recorded, and is 
satisfactory, a system exception note may be appropriate. It should explain 
any deviations from the prescribed system and their effect. For example, 
when a function is performed at many locations using the same instructions 
and manuals, a common record of how the system is intended to operate is 
likely to exist. Armed with this record the auditor need only note any 
deviations that occur at individual locations . 



Flowcharts 

21 Flowcharting is a diagramatic method of recording and describing a 
system which shows the flow of documents or information and the internal 
controls within a system. 

22 There are various methods of and symbols for flowcharting. The 
comprehensive working guide “Flowcharting for Auditors” in Accountants 
Digest 32, published by The Institute of Chartered Accountants in England 
and Wales, is recommended as a standard. 

23 The auditor should consider the advantages and disadvantages of 
using flowcharts when deciding how to record a system. 

24 The advantage of flowcharts are: 

(a) information can be conveyed and assimilated effectively 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



(b) they highlight the relationship between different parts of the system 

(c) the overall system can be seen and the auditor can be more certain that 
he has the whole picture: flowlines going nowhere can be easily spotted 

(d) they are a consistent method of recording 

(e) control strengths and weaknesses are easy to identify because control 
points are clearly identified 

(f) redundant control, redundant activity and bottlenecks are easily 
identified 

(g) in complex systems they offer a good way to gain a clear understanding 
of a system 

(h) cross-referencing between systems is easier 

(i) amendment is easier than with a narrative 

25 The disadvantages of flowcharts are : 

(a) they can become an end in themselves 

(b) physical activity, e.g the movement of goods, may not be represented 

(c) the technique and conventions have to be learned and practised 

(d) their creation may be more time consuming than a narrative 
description. 

Narrative descriptions 

26 It may be quicker and clearer to write a narrative description of a 
system especially when it is small or simple. The chosen method should be 
appropriate to the audit assignment. Writing a narrative, overview, or 
outline of a system often achieves a broad understanding and may be more 
appropriate for recording the environment in which a system operates. 

27 Narrative notes and flowcharts may both be used if this means that the 
system is more comprehensively recorded. The two should be cross 
referenced to indicate where items in the flowchart are explained in the 
narrative. Specimen documents or sample forms attached to the 
description are often helpful to illustrate a particular point. 

Organisation charts 

28 As part of the background information for an audit assignment it may 
be necessary to record the organisational structure. A copy of an existing 
organisation chart may suffice but the auditor may need to draw one. 

29 The chart needs to be up-to-date since it provides details of the 
information chain, relationships and responsibilities. It is also useful in 
identifying staff and in testing. The date of preparation should be noted. 

OIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



30 The chart may include : 

(a) main sections/branches with a description of their functions 

(b) job titles and names of staff together with lines of responsibility 

(c) any other reporting lines 



Internal control questionnaires (Example A) 

31 Internal Control Questionnaires (ICQs) help the auditor to identify 
control strengths and weaknesses. They are a list of questions related to 
specific control objectives that might be expected to be achieved in a 
particular system. On their own they do not provide a clear or complete 
picture of systems in operation or a sufficient basis for evaluating internal 
control. The name of the auditor who drew up the ICQ, and when, should 
be recorded on it with the title of the system concerned. 

32 Space should be provided for the control objective and the list of 
questions should normally be worded to obtain a ‘Yes’ or ‘No’ answer. A 
comment column may be required to show the auditor’s assessment, eg 
where an apparent weakness in control is compensated by controls 
elsewhere in the system. Further space should be provided for cross- 
reference to compliance tests. 

33 The auditor may prepare an ICQ before an audit starts but he will 
need to adapt it as work progresses. It should be based on the control 
objectives he has determined. The questions should show whether and to 
what extent the control objective is met. Questions need to be clear. If 
phrased so that a ‘Yes’ answer means a control strength and ‘No’ a control 
weakness the latter will be more readily identified. The questions are 
addressed to the auditor not auditees. The auditor answers each question 
from his own appreciation or assessment of a system. 

34 Questions should be clear and unambiguous. For example, if in a 
purchasing system, a question was phrased ‘Are invoices checked?’, the 
auditor may reply ‘Yes’ if he finds that they are checked arithmetically. Fie 
might not enquire whether they are checked to orders, or that goods have 
been received, etc. It is essential to question each one of these aspects to 
obtain the full picture. 

35 The auditor should also avoid general questions such as ‘Are the 
procedures for cancelled cheques satisfactory?’ in a payments system. He 
should ask a series of relevant questions which, taken together, would 
provide the answer to that question. For example, in this case, he might 
ask: 



GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



‘Is the bank notified in writing of cheques to be cancelled?’ 

‘Is the reason for cancellation noted in the cash book?’ 

‘Is the date of cancellation notified by the bank entered in the cash 
book?’ 

‘Is the cash book checked for confirmation of cancellation before a 
subsequent cheque is issued?’ 

‘Is there regular follow-up of cancellations not confirmed?’ 

‘If account ledger posting have already been made, are cancellations 
recorded for subsequent credit entries?’ 

36 The advantage of ICQs are that: 

(a) they enable concentration on control objectives and identification of 
important controls 

(b) they are a useful aide-memoire. 

37 The disadvantages of ICQs are: 

(a) the yes/no approach is often an over-simplification of a complex 
control system 

(b) the questions may become irrelevant 

(c) special factors and particular circumstances are difficult to forsee and 
may be neglected 

(d) they can promote a mechanical and unimaginative style. 

38 Standard ICQs can be designed for use on similar systems. These 
often become long and include irrelevancies, but used with care they can 
be effective. The danger of these becoming control check lists should be 
recognised: each ICQ needs to be appropriate to the system for which it is 
being used. 

39 Whilst it may be useful to use a similar technique as an aide-memoire 
in obtaining background information, eg by asking questions on, say, the 
throughput of transactions or number of staff, these tasks should be 
covered by designated checklists. ICQ’s should concentrate on questions 
related to controls and whether they achieve their objectives. 

List of systems recorded 

40 To enable quick and easy identification, particularly in complex 
situations, the systems recorded and the date of recording may be listed. 
This may be kept on the permanent file and/or with the systems records. It 
may include a record of successive reviews or a separate review record may 
be kept. Cross-reference to the relevant flowchart or narrative description 
is helpful. 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



Systems review record 

41 Systems are usually in a state of change and development and the 
auditor needs to know whether his record is up to date. It is also helpful for 
audit management and planning purposes to know the history of audit 
reviews for each system. A review record lists audit examinations of each 
system and shows when and by whom they were undertaken. The review 
record may be attached to a flowchart but it should be on the permanent or 
systems file. It should be cross-referenced to flowcharts, narrative 
descriptions etc. 

Record of system weaknesses (Example B) 

42 Weaknesses identified on evaluation must be recorded clearly for 
future reference and to help determine audit tests. One method is to keep a 
separate record of them which should indicate dates on which weaknesses 
were identified, auditee comment, and action thereon. 

43 The record should clearly describe the weaknesses identified. It is not 
sufficient just to state what does, or does not, happen and to leave it to the 
reader to judge what is at fault. Hence if, say, the auditor found that one 
person alone opened post he should state that this is so, and that it could 
facilitate misappropriation of cash or other valuables since no control 
existed before receipt was first recorded. He should not simply state: ‘Only 
one officer opens post’ or, even worse, ‘Post opening is not controlled’. 

44 The note of action taken should be specific. For example, it would not 
be sufficient to state that the weakness was discussed with, say, a senior 
officer. The auditor should clearly record what action was promised or 
taken by the officer, whether any letters or minutes were exchanged, what 
action was actually taken or when it was proposed next to review the 
situation. 

Control evaluation record (Example C) 

45 The auditor’s evaluation of controls should be cross referenced to the 
control objectives he has identified and the controls he has found to be 
operating. They may also be referenced to flowcharts and other systems 
records including ICQs. This record should set out the control objectives, 
the controls identified which will achieve the objectives, and the auditor’s 
evaluation of whether they achieve this. It should be cross-referenced to 
related compliance tests, and it is useful to provide space for cross- 
references to substantive tests when the effect of weakness or failure needs 
to be determined. 

46 The record should-clearly state the controls and the auditor’s 
evaluation. It should avoid describing processing procedures which will not 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



require evaluation or testing. The auditor should avoid inconclusive 
discussion of strengths and weaknesses but show why he believes the 
controls would, or would not, achieve the objectives. He should bear in 
mind that compliance testing has not yet been carried out. 

Audit programme (Example D) 

47 Audit tests arising from the evaluation of strengths and weaknesses in 
internal control should be recorded on an audit programme. The reason 
for testing will, in some cases, be given in the audit work plan to which 
appropriate references should be made. It is often helpful to repeat audit 
objectives on the programme which should give details of target dates and 
auditors assigned to tasks. 

48 Space should be provided for cross-references to the audit test record 
on which the results of the work are shown. The signature or initial of the 
auditor who has completed each test and of the reviewer should appear. 
Details of tests to be carried out must make clear what is to be done and 
which control is being tested. Statements which simply instruct the auditor 
to find out whether a control exists, or operates, must be avoided. 

49 Each test should be specific on matters such as: 

who is to be interviewed or observed 
what is to be examined 

how many items are to be selected for examination and on what basis 
what criteria are to be used for determining error. 

Audit test record (Example E) 

50 Audit test records should be used to record the results of the tests 
outlined in the audit programme. This includes the source and number of 
items tested, audit findings, results of subsequent enquiry, evaluation of 
results and action taken. Where sampling techniques are applied, method 
of sampling, sample size etc should also be shown. 

51 The record should link to the audit programme, unless the test has 
arisen for some other reason (which should be stated). Space for the 
reviewer’s comments is desirable. Cross-referencing results to the post 
audit summary, or to the audit report, helps ensure they are properly 
reflected in conclusions and recommendations. 

52 In areas where much detailed work has been done it may be 
appropriate to provide a separate summary of test results. This can ease 
the task of compiling the post audit summary and audit report. If prepared 
as the audit progresses it also provides a note of the work done so far. This 
is useful if, for example, it is necessary to hand over to another auditor. 

GIAM 9/83 

Printed image digested by the University of Southampton Library Digitisation Unit 



C3.2 



Question and answer record 

53 During an audit queries may well arise which the auditor can clear 
with the auditee. A record of these is useful to identify the source of 
particular information or to support audit comment. 

Notes of meetings and interviews 

54 Notes of meetings or interviews should be taken at the meeting or 
soon after. Notes should include the names of those attending, date, time 
and venue and record the main points of discussion and any agreement or 
disagreement. If the note is agreed with and/or circulated to those 
attending a record of agreement or a circulation list should be kept. 

Post-audit summary 

55 At the end of (or sometimes during) an audit a summary of the main 
points which may appear in the draft report should be prepared as an 
aide-memoire for post-audit discussion and for review purposes. This 
should be clearly referenced to test results, systems records, records of 
strength/weakness or control evaluations so that conclusions can be traced 
to the evidence supporting them. Columns for auditor’s and auditee’ s 
comments on post-audit discussion are useful for future reference and for 
report writing. The summary should be referenced to the audit report as 
the latter is written. It is also useful to copy it as a carry forward record for 
any follow-up action at the start of the next audit. 

AUDIT FILES 

56 Two types of files are normally maintained for each audit: a 
permanent file which contains continuing information, and a current file 
containing the papers immediately relevant to the audit. These files may be 
sub-divided for convenience. Indexing will improve audit efficiency and 
control. Audit management should determine when and how the current 
file should be closed and stored. This is usually after follow-up action has 
been completed. 

Permanent file 

57 The permanent file contains papers of continuing relevance and its 
contents should be reviewed at the start of each audit. Contents may 
include: 

(a) organisation charts 

(b) terms of reference of the audited activity 

(c) relevant job descriptions and authority limits 

(d) list of locations and of main books of record or account 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C3.2 



(e) list of account codes and specimen signatures 

(f) list of recorded systems 

(g) systems review records and records of system weaknesses 

(h) specimen documents, extracts of records and reports 

(i) ICQs 

(j) descriptions and analyses of functions and volume of transactions etc 

(k) audit reports and notes of work referred to next audit 

(l) other reports eg external audit or other review agencies 

(m) record of management responses and correspondence 

Current file 

58 The current file contains the papers relevant to a specific audit. Some 
may be borrowed from the permanent file and replaced after the audit is 
satisfactorily concluded. Typical contents include: 

(a) scope and objective of the audit 

(b) audit work plan 

(c) previous audit report, reply, audit points arising and/or notes of work 
referred from previous audit 

(d) record of systems and ICQs 

(e) records of system weaknesses and strengths 

(f) control evaluation record 

(g) audit programme 

(h) detailed records of tests, schedules, analyses etc 

(i) exceptions arising from audit tests 

(j) question and answer records 

(k) draft audit report 

(l) post-audit summary and details of post-audit discussions 

(m) audit report to management 

Systems file 

59 It is sometimes convenient to group the documents relating to systems 
(eg flowcharts, ICQs etc) into a separate systems file. This avoids overload 
in the permanent file and makes the systems material more easily 
available. 



Other files 

60 Material which may be needed for future reference , although not 

CilAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 



required in the permanent file, can usefully be stored in a back-up file. This 
might contain old reports, out-dated flow charts, interview notes etc. 

61 Correspondence/location files may usefully contain letters or 
memoranda between auditor and auditee and other reference material 
gathered between audits. 

62 The need to keep rough notes and drafts should be considered. These 
are normally kept only in unusual circumstances; if kept a back-up file is 
often the best place for interim storage. Keeping documents longer than is 
needed is inefficient and expensive. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



CrIAM 9/83 



C3.2. Example 



Infernal control questionnaire 


Ref. 


Subject/title 


Prepared by 


date 


Reviewed by 


date 


System 


Flowchart 




number 





Humber Control objective 



Flowchart 1 
Op. No. 



Yes/ no- 

(tick) 



Comments 



Test 

ref. 



CHAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



Record of system weaknesses 


Ref. 








Prepared by 






date 






Reviewed by 






date 


Flowchart/ 


Description of 


Audi tee 


Audit test arising 


Action taken 


Review 




ICQ number 


system weakness 


comment 


and test pa per No. 




comment 










Of appropriate.) 





















Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 Example B 



GIAM 9/83 



Control evaluation record date 

System Reviewed by date 



Flowchart 1C.0 

number reference 



Control 

objective 






Control (flowchart/ SCQ reference) 


Evaluation 


Compliance, test 
reference 


Substantive tests OF appropriate) 


Auditor's conclusion 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 Example C 



C3.2 Example D 



Audit programme 



Ref. 



Subject/ title 




Prepared by 


date 



Audit objectives 



Target date 
for cornpletion 




Auditors assigned: 
name 


grade 




Man da'/s 
allocated 








DetailofworK 


V 


■Reason for work/ 
plan reference/ 

1 eg reference 


Competed 
by (initial 
of auditor) 


Reviewed 
by (initial 
of reviewer) 



GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.2 Example E 



M 0» ■ ■ 






wucm: i st record 


Ref. 








Title — - 


Prepared by 




date 


Reviewed by 




date 


Flowchart " — — — " 

number 


Audit programme number/ 

reason for test 


Test detail/ 
programme ref. 


Results of test 


Action taken 
(including auditee 
comment) 


Reviewer's comments 


Note for next audit 



GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.3 



Audit Reporting 



Introduction 

REPORTING ARRANGEMENTS 

Distribution of reports 

Types of reports 

Consultation on draft reports 

Timeliness 

Co-ordination 

Liaison with other review agencies 

External auditors 

Follow-up 

THE AUDIT REPORT 
The audit process 
Drafting and review 
Format 
Presentation 

Advice on drafting: Appendix I 



GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.3 



Introduction 

1 T his chapter deals with reports on individual audit assignments and 
provides guidance on the practice of reporting. It should be read in 
conjunction with the standards in B7. Line reporting within internal audit 
is dealt with in C3.4. 

2 A good audit report communicates the auditor’s conclusions effectively 
and makes recommendations persuasively so that management 
understands the issues, accepts the conclusions and acts appropriately. An 
inadequate report will negate the best audit work and finest conclusions. 
The audit report should expose the risk involved in taking no action, so 
that managers can judge whether this would be appropriate. 

3 The audit unit’s contribution to the department is demonstrated in 
reports on individual audit assignments. These provide the basis for giving 
assurance on the internal control system in the annual report to the 
Accounting Officer (see C3.4). The quality of an audit and the status of the 
unit will be judged by its reports. 

4 An audit report therefore serves several purposes. It will: 

(a) provide assurance - by reporting the extent to which internal controls 
may be relied on and identifying inefficiency or waste 

(b) measure performance - by providing analyses and appraisals 

(c) prompt action - by drawing attention to remedies for reported 
weaknesses 

(d) permit follow-up - by enabling internal audit to find out if 
recommendations have been acted on. 

5 The Chapter is divided into two parts. These describe reporting 
arrangements and the preparation and content of an audit report. An 
Appendix contains advice on drafting. 

Reporting arrangements 

6 Reporting arrangements will depend on the organisation of the 
department and the extent to which authority is decentralised and 
delegated to line management. 



7 A system of reporting should be established and understood by both 
line managers and internal auditors. It should be published in 
departmental instructions and include the factors noted in the following 
paragraphs. 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.3 



Distribution of reports 

8 The reporting instructions should specify to whom reports should be 
sent, and in what circumstances, although it must be within the discretion 
of the Head of Internal Audit (or his audit managers if delegated) to vary 
this if he thinks it is necessary. The precise arrangements will reflect the 
organisation of the department but the Principal Finance Officer should be 
included in the distribution. 

9 A report should be sent to the lowest level of management necessary to 
achieve its purposes. The objective is to reach the managers expected to 
take action and those who are in a position to ensure that a report is 
adequately considered and action taken when necessary. Reporting to the 
manager of the audited activity and to one management level above may 
be regarded as normal practice. Higher level or exceptional distribution 
may be needed if audit findings have special implications. Limited 
distribution may be appropriate when serious irregularity is suspected. 

10 Audit reports are often of interest to and used by a number of people 
other than the immediately responsible line manager. Each has his own 
perspective and knowledge and need for detail. Writing separate reports is 
wasteful and may lead to misunderstanding. A good standard practice is to 
provide a summary supported by more detailed sections. This helps the 
reader to select what he needs. 



Written reports 

11 A written report, or other record, should be issued after each audit 
(B7.1). Written reports provide a formal record. The impersonality of a 
written report is in keeping with audit objectivity and is needed for line 
management to provide a considered response. Audit management use it 
to control the audit and permit efficient follow-up. The writing and 
presentation of written reports is described later. 



Oral reports 

12 Discussion is the most effective way of clearing up queries and points 
arising during an audit. Oral reports are not usually subject to quality 
control and if badly presented may lead to misunderstanding or 
embroidered facts. However when it is necessary to report immediately an 
oral report makes it possible to exchange views quickly and effectively. An 
oral report must always be confirmed in writing in the audit files for future 
use. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C3.3 



Exception reports 

13 An exception report which concentrates on specific matters requiring 
attention may be appropriate in limited circumstances but should be used 
with caution. It may lead management to assume that all else related to the 
area audited is satisfactory. Hence they may derive more assurance than 
was intended or is warranted. It may also lead managers to over-react to 
problems because the report does not present a complete picture. 

14 The use of an exception report depends mainly upon the nature of the 
audit assignment, the purpose of the report and readers’ needs. If used it 
should be made clear to readers so that they do not draw false conclusions. 

Interim reports 

15 Informal contact between auditor and management will help clear up 
queries and confirm facts during the audit. The auditor may also need to 
report before the end of the audit if something is discovered which requires 
immediate action, for example if fraud is suspected or serious loss or risk 
may result from inaction. 

16 An interim report may also be appropriate when the audit is lengthy 
and it is necessary to prompt action or provide information as it progresses. 
Such a report can be oral but needs to be confirmed as soon as possible in a 
minute or letter. It should state the reasons why action is needed, the 
consequences of inaction and the auditor’s recommendations. 



Consultation on draft reports 

17 Internal auditors should normally agree facts and may discuss 
conclusions and recommendations at appropriate levels of line 
management before issuing a final report. This may be done by post-audit 
discussion and/or by requesting written responses to a draft report (see 
paragraphs 27-33). This process has three main purposes: 

(a) to ensure agreement on facts 

(b) to ensure that the auditee has an opportunity to consider the findings 
and conclusions before responding bearing in mind that responses may 
be included in the report 

(c) to clear matters which can be dealt with locally before reporting to 
higher management. 

Timeliness 

18 Audit reports need to be issued as soon as possible. A pre-set limit on 
the interval between end of audit and delivery of report imposes discipline. 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.3 



Delay progressively increases the chance that a report will be overtaken by 
events and so lose impact. It also postpones remedial action. 



Co-ordination 

19 A procedure may be established to enable the results of related audits 
to be brought together for co-ordinated presentation to higher levels of 
management. This may also keep individual auditors informed about 
important developments and findings in other assignments in the Unit. The 
co-ordination of audit findings enables the results of each assignment to be 
considered when preparing the annual report. 



Liaison with other review agencies 

20 Auditors often encounter problems which have staffing, 
organisational or operational implications. Their findings may indicate the 
need for study by other specialists. Similarly other review agencies may 
encounter situations which have implications for internal audit. Where 
appropriate, audit findings should be discussed with other review agencies 
(but see B9.12) either before or after reporting to line management. The 
exchange of information and views, including reports, between review 
agencies enhances co-operation. 



External auditors 

21 The Internal Audit Unit will have reached an understanding with the 
Exchequer and Audit Department about access to plans and documents, 
including audit reports (see B 9. 8). It is important that auditees should be 
aware of these arrangements. 



Follow-up 

22 While it is no part of the auditor’s responsibility to implement 
corrective action he has a responsibility to ascertain whether or not 
corrective action has been taken (B7. 13-15). Follow-up arrangements 
should be formal and clearly understood. They may conveniently be set out 
in the letter which accompanies the report and/or within departmental 
manuals. Follow-up may be initiated by a letter which requires a response 
from management. 

23 Although field work is finished the assignment should not be regarded 
as complete until the unit is satisfied that recommendations have been 
acted upon or have received satisfactory consideration at the appropriate 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C33 



level of management. Responses to the report will be one of the inputs to 
subsequent audit planning and provide a measure of the effectiveness of 
both the audit and the report. 

24 Follow-up activity by the auditor will depend on the nature of the 
audit and the recommendations. It may include reviewing consequent 
changes in systems and controls or other management action. 

25 The timing of follow-up will depend on the urgency of the 
recommendations and on whether management decide to act or accept the 
risk. If action is taken the timing will depend on the nature of the changes 
made. For example, the application or amendment of an existing control 
will be quicker than making major changes. Follow-up in the next audit 
cycle may be adequate in the case of minor changes. 



THE AUDIT REPORT 

26 A unit’s guidelines on report writing should specify responsibilities for 
drafting, review, format and presentation. 

The audit process 

27 The findings supporting the report will have built up during the audit. 
An auditor will have the report in view throughout. As the audit progresses 
he will have noted his findings or “audit points” for example, on his test 
record or query and answer record. They will have raised as far as 
practicable, with appropriate levels of management or staff. 

28 Audit points will have been cleared by: 

(a) further audit work - by specific testing to clear the point or indirectly 
from other work on the audit assignment 

(b) auditees - who may provide an explanation or take corrective action 

(c) the team leader or manager - as part of a continuing review process the 
team leader should examine and discuss points with auditors. He is 
concerned to see that all points are cleared satisfactorily and that all 
remaining items are sound. 

(d) inclusion in a draft report- for consideration by audit management and 
discussion with appropriate levels of line management at the end of the 
audit. 

Drafting and review 

29 If the audit is undertaken in an orderly and controlled manner the 
facts, conclusions and recommendations will be identified and recorded 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3„3 



during the audit. The report should present them in the most effective way. 

30 Draft reports are prepared for use within the audit unit and sometimes 
for further discussion with management before issuing a final report. The 
draft is normally prepared on completion of an audit, often following 
discussion with immediately responsible line management. It may be 
prepared by the auditor and reviewed by the team leader or by the team 
leader himself. 

31 Responsibility for the audit report rests with the Head of Internal 
Audit who should specify arrangements for their review, approval and 
issue. However, reports may be prepared and edited by an auditor, team 
leader or manager. 

32 When an audit involves several teams in different locations or in 
different specialist areas one report may be compiled from several. The 
draft report should be supported by all the other documents on the current 
audit file. 

33 The draft report should always be reviewed and edited by audit 
management. They should ensure that findings, conclusions, opinions and 
recommendations are supported by relevant, reliable and sufficient audit 
evidence. The draft will be discussed within the unit and consultation with 
differing levels of management may be needed before the formal audit 
report is issued. 

Format 

34 A logical order in which reports may be structured is : 

(a) audit objectives 

(b) scope of audit 

(c) main conclusions, recommendations and audit opinion 

(d) detailed audit findings 

(e) conclusions 

(f) recommendations 

(g) management comment, action agreed or taken. 

Summary 

35 A summary should give an overview of the audit. It should be brief 
and to the point and referenced to the detailed sections of the report. An 
index helps management, particularly if the report is long or complex. 

36 Audit objectives, scope and main conclusions and recommendations 

GIAM 9/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.3 



should be included in the summary. These are supported by other sections 
containing detailed findings. 

Detailed audit findings 

37 The link between the audit objectives and conclusions is made in the 
detailed audit findings. The auditor may need to describe what procedures 
and standard he used in arriving at his findings. If possible, published or 
departmental standards should be used for comparison. Adverse findings 
which arise from previously reported deficiencies in control should be 
highlighted. The findings may describe strengths or weaknesses in internal 
control and/or other results. 

38 The findings should give the minimum detail necessary to achieve the 
objective. Too much detail and the reader may be bored; too little and the 
reader is left with too many unanswered questions. If reports contain trivia 
or padding the reader may miss important matters. 

39 Detailed audit findings should be presented in a way that encourages 
the reader to form his own conclusions about their importance. 

40 Findings presented in the report should be both relevant and sufficient 
so that management may quickly grasp the problem, and its significance, 
and be led to the conclusions reached by the auditor. The auditor should 
consider what management needs to know. This will depend on the 
significance of the findings and the level of management to which it is 
mainly addressed. 

Conclusions 

41 Conclusions are an expression of audit opinion. They include the 
auditor’s assurance, or otherwise, on the adequacy and effectiveness of 
internal controls and his assessment of risk or of opportunity for improved 
performance. 

Recommendations 

42 Recommendations for improved control should be made where 
appropriate. Where no recommendation is made because of seemingly 
intractable difficulty attention should nevertheless be drawn to the 
problem so that it may be considered. 

Management comment 

43 The inclusion of auditee reaction to audit recommendations, 
especially when action was taken or agreed, helps the follow-up process. 

GIAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



€3.3 



The report should acknowledge auditees’ contribution towards identifying 
problems and solutions. 

Presentation 

44 A well presented report is more likely to be understood. Clean copies, 
covers, front sheets, and neat, accurate typing give a professional look and 
encourage the reader’s attention. One and a half spacing is easier on the 
eye than single spacing. Good artwork, diagrams and graphs may explain 
more effectively than narrative. Reference material should be included as 
appendices where possible. 

45 Front sheets and covers may include basic information: 

(a) date the audit started and ended 

(b) date of the report 

(c) references to interim reports 

(d) the subject and/or location(s) of the audit 

(e) index or list of contents, 

(f) name(s) of the auditor(s) 

(g) reference number 

(h) distribution. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



ADVICE ON DRAFTING 



C3.3 

Appendix 1 



1 The audit report conveys knowledge and information from the auditor 
to line managers. If the audit report fails to convey a compelling message 
quickly it is likely to receive scant attention. Report writing should 
translate information so that it is received and easily understood with 
minimum loss. The use of words and language is dealt with in “The 
Complete Plain Words” by Sir Ernest Gowers. Some points of particular 
relevance to audit reporting are briefly metioned here. 

Clarity 

2 The words chosen should precisely fit the meaning intended. The 
different shades of meaning are important if findings are to be exactly 
communicated. 

3 Simple and familiar words are preferable. Jargon is best avoided, unless 
it is familiar to the reader, and slang should never be used. Abbreviations 
which are capable of more than one interpretaion, or are unfamiliar, 
hinder understanding. Acronyms should be spelt out in words when first 
used. 

4 Verbosity clouds meaning. Clauses such as “It should be noted that” 
take time to read and add no meaning. 

5 Short paragraphs and sentences have more impact. 

6 Absolutes should be used with care and imprecision should be avoided. 
Words such as ‘never’ or ‘always’ invite contradiction, those like ‘often’ or 
‘several’ invite questions. Both may distract attention from the point at 
issue. 

7 Other factors which aid clarity: 

(a) a logical sequence of ideas and paragraphs 

(b) sound and positive sentence construction 

(c) placing the emphasis of the sentence at its beginning or end 

(d) avoiding subordinate clauses which split the main part of the sentence 

(e) using active (not passive) verbs 

(f) avoiding repetition 

Accuracy 

8 Inaccurate reporting deflects management’s attention from the 
purposes of the report to a dispute about the facts. It undermines the 
standing of internal audit and the credibility of the auditor. Fact and 
opinion should be clearly distinguished. 

CilAM 9/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



€ 3.3 

Appendix 1 
Tone 

9 Audit reports should be impersonal. Reports which include personal 
criticism do not enhance the co-operation of auditees. Problems can be 
highlighted in an impersonal way by concentrating on weaknesses and their 
consequences. It is management’s task to draw conclusions from the facts 
reported in the context of the people concerned. Dispassionate language 
should reflect the objective approach of the auditor. 

10 The auditor’s responsibility includes offering constructive 
recommendations. A positive approach is more likely to persuade the 
reader to take appropriate action. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 9/83 



C3.4 



Audit Management 



Introduction 

HIA’s MANAGEMENT RELATIONSHIPS 

Accounting Officer 

Reports to the Accounting Officer 

Principal Finance Officer 

Principal Establishment Officer 

Management of other review agencies 

Audit committee 

Professional 

MANAGEMENT OF THE UNIT 

Planning 

Organisation 

Time recording 

Communications 



OIAM 12/83 



continued overleaf 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.4 



Co-ordination 
Formal guidance 
Quality control 
Quality assurance 

ASSIGNMENT MANAGEMENT 

Staffing 

Work plan 

Audit briefing 

Liaison with line management 

Supervision 

Progress control 

Review 

Reporting 

Appraisal 

HIA’s personal responsibilities to the Accounting 
Officer: Appendix 1 



Printed image digitised by the University of Southampton Library Digitisation Unit 



01 AM 12/83 



C3.4 



Introduction 

1 The task of audit management is to achieve the objectives of internal 
audit, to approved standard, through audit staff who are using good audit 
methods and procedures. The most senior manager will be the Head of 
Internal Audit. He may be supported by managers and/or leaders of audit 
teams made up of two or more auditors. The task is the organising, 
planning, directing, controlling and co-ordinating of the unit and individ- 
ual assignments. 

2 The adequacy of audit management will be demonstrated in the 
efficiency of planning, documentation and reporting processes of the unit 
and of individual assignments as outlined in the other parts of C3. These 
are the tools which help managers to manage the most important resource 
in the unit — its staff. 

3 This chapter does not deal primarily with staff management but 
concentrates on the audit task. It brings together, and expands where 
necessary, guidance on audit management in other parts of this manual 
and provides a point of reference for audit managers and team leaders. 
The Standards, in particular, give the Head of Internal Audit and his 
managers criteria of good practice: they are the authoritative basis for 
this Chapter. 

4 The chapter is in three parts. The first outlines the Head of Internal 
Audit’s relationship with his colleagues and senior management. The 
second describes features to be considered in managing the audit unit. 
The third deals with the management of an audit assignment. 



HIA’s MANAGEMENT RELATIONSHIPS 
Accounting Officer 

5 The Head of Internal Audit is appointed by the Accounting Officer 
(subject to the approval of the Treasury) to whom he has right of direct 
access although he normally reports directly to the department’s Principal 
Finance Officer. He should need to use his right of access to the Account- 
ing Officer only in exceptional circumstances. 

6 The HIA’s terms of reference are specified by the Accounting Officer 
to whom the HIA gives assurance (or otherwise) on the department’s 
internal control system. The Standards in Section B indicate that the Head 
of Internal Audit is responsible directly to the Accounting Officer for 
certain tasks. For convenience, these are summarised in Appendix 1 of 
this chapter. 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.4 



7 Accounting Officers are charged with paying particular attention to 
the adequacy and effectiveness of internal audit (‘Government Accounting’ 
section C— responsibilities of an Accounting Officer). This requires pro- 
fessionalism and commitment from the Head of Internal Audit and his 
staff and will be reflected in the quality of individual audit assignments. 



Reports to the Accounting Officer 

8 The Head of Internal Audit advises his Accounting Officer on the 
extent to which he can rely on the adequacy, reliability and efficiency of 
the department’s internal control system. This assurance is contained in 
his report to the Accounting Officer which may be annual or more 
frequent if required. In this the findings from individual audit assignments 
(which will have been reported to line managers responsible) are considered 
and the audits performed are compared with those planned for the period. 

9 The report’s content, presentation and design should be carefully 
considered in the light of the Accounting Officer’s requirements. It should, 
for instance, analyse and distill common conclusions arising from audits 
or significant weakness or inefficiency. Planned audits not actually perfor- 
med should be reported because they weaken the assurance the HIA is 
able to give. 

10 In giving assurance in his report the HIA should take account of: 

(a) current period audits including follow-up action by line management 

(b) results of continuing reviews of higher level controls 

(c) management action taken on previous audits 

(d) significant recommendations not accepted by line management and/ 
or consequent risks 

(e) the effect of any significant changes in the department’s arrangements 
or systems 

(f) matters arising from previous reports to the Accounting Officer. 

11 The report also provides an opportunity for the HIA to record his 
view on the status and prospects of the audit unit including: 

(a) staffing — cost: adequacy: training: turnover: succession: secondments: 
vacancies etc 

(b) the capacity and competence of the unit to achieve its terms of 
reference 

(c) any limitations which affect the HIA’s opinion and, in particular, any 
changes from the previous report 

(d) a look forward to the next and subsequent periods. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



OIAM 12/83 



€3.4 



12 The effect of the year’s work on the long-term plan should be 
discussed. Future plans may also be put forward for consideration and 
approval at the same time. The short-term plan, to which the unit is 
currently working, will already have been approved before the planning 
period began and should have taken account of the matters now reported. 
A revised short-term plan may, however, need to be prepared and imple- 
mented if immediate changes in priorities arise from consideration of the 
report. 

13 The report should enable the Accounting Officer to judge the calibre 
of the unit and to give direction to it or his senior line managers. 

14 The HIA may find it necessary to submit more frequent reports to 
the Accounting Officer, for example, if he wishes to draw attention to 
major audit findings or if there is a serious failure to act on audit 
recommendations . 

Principal Finance Officer 

15 The Head of Internal Audit should have a close working relationship 
with the Principal Finance Officer who ensures that audit staffing, training 
and other organisational arrangements are adequate to enable the HIA to 
meet the required objectives and standards (‘Government Accounting’ 
Section C— responsibilities of a PFO). He should receive a copy of all 
audit reports although addressed to responsible line managers. The PFO 
is normally the HIA’s reporting officer and second reporting officer for 
senior audit staff. 

16 The PFO is responsible, with the Principal Establishment Officer, for 
supporting the Accounting Officer in the economical, efficient and effec- 
tive management of public funds and other resources. The Head of 
Internal Audit should therefore consider, with them, the best means of 
ensuring the co-ordination and effectiveness of internal audit and other 
review bodies such as staff inspection and management services. 

Principal Establishment Officer 

17 The Head of Internal Audit, in consultation with the PFO, should 
agree with the PEO the staffing of the unit and the provision of required 
training for his staff. The HIA should take care to ensure that his PEO 
is aware of the standards to which the unit works. 

Management of other review agencies 

18 The Head of Internal Audit should maintain close links with the 
Heads of other review agencies. This may involve, for instance, periodic 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C3.4 



meetings to discuss plans and any points arising from audit or review 
agencies’ reports. The independence of the audit unit should not, however, 
be prejudiced (B9.ll). 

Audit committee 

19 The Accounting Officer may decide to establish an audit committee 
to advise him on internal audit, external audit and related matters. 
Depending on terms of reference, the HIA may be called upon to advise 
the audit committee or to provide them with audit plans and reports. 

Such a committee can help the department to understand and promote 
the role of internal audit. 

20 The PFO may chair an audit committee and the HIA attends either 
as a member or adviser. His relationships with and access to the Account- 
ing Officer and PFO should not be weakened by such a committee. An 
audit committee is not a substitute for the HIA’s management of the 
audit unit nor does it diminish his responsibilities. 

Professional 

21 The HIA should maintain links with internal auditors outside the 
department. He should liaise with the Treasury’s Internal Audit Develop- 
ment Branch. Contacts with other internal auditors in government depart- 
ments, other parts of the public sector, the private sector and appropriate 
professional bodies will help to keep him and his staff aware of develop- 
ments. 



MANAGEMENT OF THE UNIT 

22 The HIA’s responsibilities cannot be delegated: all audit assignments, 
reports and the resultant opinion he gives in the annual report are his 
responsibility. In practice, however, he allocates audit tasks or assignments 
to audit teams. He may also (depending on the size of the unit) allocate 
other management functions and responsibilities. 

Planning 

23 Planning is a primary function of management. A manager cannot 
successfully organise, direct or control if he has not planned carefully. 
Planning is concerned with the achievement of objectives by the allocation 
of resources to perform tasks within agreed parameters. The mechanics 
of this are detailed in C3.1. In preparing the unit’s operational plans the 
HIA will have taken account of the views of management, the results of 
audit assignments and the opinions of his staff. 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



Organisation 

24 The organisation and structure of a unit is determined by the size 
and complexity of a department. Whatever the structure, staff should be 
allocated in a flexible way so that professional results are obtained without 
stifling initiative or wasting time on excessive management. 

25 There is no ideal structure for an internal audit unit. The structure 
will be influenced by the tasks to be performed, as determined in the 
planning process, and the staff available. The Head of Internal Audit, 
and his managers, should ensure the structure adopted optimises the use 
of staff. 

26 The structure adopted should reflect the allocation of responsibilities 
between the various levels of audit management and provide for delegation. 
Where there are only a few internal auditors they may report directly to 
the HIA for all or part of their work. In a larger unit auditors (singly or 
as a group) answer to him through team leaders who may be responsible 
for individual assignments to audit managers who may handle blocks of 
work. Assistant or trainee auditors will be supervised by team leaders 
assisted by auditors. The size and composition of teams will need adjust- 
ment from time to time. 

27 An approach where teams cover all types of work has the advantage 
of giving auditors a wide range of knowledge. This may mean, however, 
that auditors are not used efficiently particularly when they have to spend 
a lot of time gaining experience needed for an assignment. In larger 
departments separate teams to deal with certain specialised functions can 
be of value. This has advantages in providing continuity of expertise, 
clearly allocates responsibility, and builds a fund of specialised knowledge. 
Major disadvantages are inflexibility arising from specialism and a possible 
loss of objectivity. Care is needed to prevent loss of contact between 
teams. Specialist teams form a pool of skills from which others can draw. 

28 Organisation on a regional or area basis may be convenient, where a 
department’s services are spread over a wide geographical area, to reduce 
travelling time and give auditors a better knowledge of local conditions. 
But it can present difficulties, for instance in achieving a common 
approach, and needs effective central management. 



Time recording 

29 A system of time budgeting and recording should be established 
within the unit. It should analyse the time spent directly on audit and 
administration, supervision, annual leave etc as described in paragraphs 
12-18 of C3.1. This will form a basis for monitoring individual audits, 

OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€3.4 



provide input to the audit planning process and help ensure that staff are 
used in an efficient way. 

Communications 

30 Good communications between staff at all levels are essential in the 
internal audit unit. Audit managers should keep staff informed, for 
instance of audit results, particularly when they operate in differing 
locations. 

31 Regular meetings between audit management and staff maintain team 
spirit and encourage the exchange of views on current audits, planning 
future work etc. Training days where all or some staff come together for 
instruction, discussion or briefing are a good method of keeping auditors 
informed of new techniques, developments etc. Management should 
encourage attendance at appropriate conferences and seminars. The knowl- 
edge obtained should be communicated to other auditors. Articles in 
journals, magazines, changes in legislation, circulars etc should be circu- 
lated. Some of this information may be communicated through a staff 
bulletin or newsletter. 

Co-ordination 

32 In order to form a view on the internal control system, or parts of 
it, the results of individual audit assignments must be co-ordinated by 
senior audit management. This will be aided by the audit planning process 
and culminate in the HIA’s report to the Accounting Officer. 

Formal guidance 

33 The Head of Internal Audit should prepare guidance and instruction 
for audit staff on the policies, principles, practice and techniques of 
internal audit. The form and content should be appropriate to the size 
and structure of the audit unit and its work. They should normally 
describe the organisation and management of the unit, its objectives and 
the processes to be used in arranging and conducting an audit and 
following-up results. An audit manual is particularly useful for new 
entrants and for the training and development of staff. It will aid the 
application of standard procedures and the control of audit assignments. 
Guidance should be based on this Manual. 

Quality control 

34 Audit management is responsible for ensuring, and must be satisfied 
with, the quality of audit work. The control of individual assignments is 
fundamental to the effectiveness of the unit. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 12/83 



C3.4 



35 In addition to the routine reviews of audit assignments (see below) 
the HIA may wish to monitor, maintain and improve the overall quality 
of the unit’s work through planned internal reviews of completed audits. 
This can be achieved by members of staff not involved in the original 
audit viewing and appraising the quality of selected audit work. Over time 
the work of all teams should be subjected to review. Such reviews may 
also sample selected types of work. Weaknesses revealed should be discus- 
sed with responsible auditors and more pervasive problems brought, with 
necessary instruction for corrective action, to the attention of the entire 
unit. 

Quality assurance 

36 The Accounting Officer needs to be satisfied that he can continue to 
rely on the work of the audit unit. Line managers will also expect the 
unit’s work to be appraised. This can be secured by reviews of the 
operation of the unit by experienced internal auditors from outside the 
department to appraise the quality of the unit’s work and to report and 
make recommendations on its compliance with standards and good prac- 
tice. The Accounting Officer should authorise such a review. 

ASSIGNMENT MANAGEMENT 
Staffing 

37 The planning process should have shown what audit staff and special- 
ists were needed within the unit. This will be reflected in the staff allocated 
to individual assignments. It is important that an audit is staffed by the 
right mixture of staff involving consideration of experience, specialism, 
training needs and the level of supervision. This requires the setting of 
realistic targets, the allocation of time required to achieve desired results 
and the use of staff suitable to the task. 

38 An audit is normally led by a team leader. Audit management should 
be satisfied that he understands the scope and objectives of the audit. 

The extent of his responsibilities should be clear and such that he can 
operate effectively in the field. It should normally be his responsibility to 
prepare a work plan. 

Work plans 

39 All audit work should be authorised through the audit work plan 
(see C3.1) which is agreed following discussion between the responsible 
audit manager and the team leader. It is important to agree: 

(a) the objectives of the audit 

(b) audit approach 

OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€3 A 



(c) the staffing of the audit including the level and experience of staff 
and other needs such as support from specialists 

(d) a time budget divided between staff indicating duration, completion 
etc 

(e) any preliminary survey or work needed before the start of the audit 

(f) administrative arrangements, travelling time, subsistence, locations 
etc. 

Audit briefing 

40 The team leader should brief his team before the audit starts. He 
should make sure that all relevant documentation and background material 
is assembled. The aim of the briefing should be to ensure that audit 
objectives are understood by the team and particularly by auditors respon- 
sible for individual tasks. It should include approach, allocation of tasks, 
conduct, liaison with line management, reporting and administrative 
arrangements etc. The results of the briefing should be recorded. 

Liaison with line management 

41 It is wise first to agree the timing informally with line management. 
Once agreed formal confirmation may be given. Who is then notified will 
depend on local circumstances but it will normally be the Head of a 
Division and/or senior officer concerned. Line management should be 
informed of the purpose of the audit, its approximate duration and asked 
if there are any areas of special concern to them. If the audit approach 
requires a surprise visit the most senior manager should normally be 
informed on arrival. 

42 At the start of the audit, the team leader should call on line managers 
responsible for the work to be audited. He should explain the audit task 
and the systems or activities to be examined. Any further requests for 
audit to look at matters not covered in the work plan should be referred 
to audit management for decision. It may also be helpful to describe the 
role, method and reporting arrangements of the unit. A provisional 
timetable and a final discussion date should be agreed. Periodic meetings 
may be arranged as the audit progresses, particularly where it is prolonged 
or complex. 

Supervision 

43 Day-to-day control of the assignment and staff is the responsibility 
of the team leader. Supervision involves the monitoring of staff undertak- 
ing audit assignments, reviewing their work, developing their skills and 
making sure that performance is in line with standards and work plans. 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€3.4 



More supervision is called for where a trainee is being used or if an 
auditor has a low level of skill in, or experience of, the type of assignment 
to which he has been allocated. 

44 The team leader may need to agree the testing strategy with his audit 
manager and will need to be closely involved in its interpretation especially 
when using inexperienced staff. Depending on local arrangements either 
he or his manager should decide if further testing is required. 

45 The team leader is particularly concerned that adequate and appropri- 
ate audit documentation is produced to standard as described in C3.2. 

He should ensure the intelligent application of Standards particularly those 
on Controlling and Recording. 

Progress control 

46 In addition to regular meetings with team leaders the responsible 
audit manager (or Head of Internal Audit) should periodically review 
performance and progress. Failure to exercise control may result in 
objectives not being achieved or loss of direction and efficiency. 

47 Although audit management should monitor the progress of an audit 
assignment the prime responsibility for control over progress lies with the 
team leader. He should report on progress although this may be con- 
veniently achieved on an exception basis. The findings during an audit 
may indicate a need for priorities to be reassessed or for more work to be 
done. This should be discussed with the audit manager as soon as possible 
so that, if warranted, the work plan can be altered and/or priorities 
changed. 

48 Any changes to planned time should be recorded: the use of a 
standard progress report form may be considered for this purpose. The 
audit manager should consider the actual man days spent on each audit 
against the plan and determine reasons for variances. He should consider 
implications for future plans. 

49 The Head of Internal Audit and/or manager should pay scheduled 
and unscheduled visits to see audit teams at work to enable an assessment 
to be made of the manner in which the audit is being conducted and the 
expertise which is being applied. He should note any training needs 
disclosed during the audit. 

Review 

50 The review of all work should be an integral part of the audit unit’s 
procedures. This may be partly achieved through supervision and especially 
requires that completed working papers are inspected to ensure that they 

OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C3A 



support audit findings and conclusions. Review should continue through- 
out an audit so that a more senior auditor always appraises the work of 
another. In addition, the audit manager should review audit findings and 
discuss them with the team leader and individual auditors. This should be 
done, as necessary, during the audit but is particularly important in the 
final stages. 

51 The extent of review will vary with the experience of staff and nature 
of the assignment but it should be such that the Head of Internal Audit, 
who may undertake a final review of the draft report, can be satisfied 
that the conclusions are sound and are demonstrably supported by rel- 
evant, reliable and sufficient audit evidence. There should also be evidence 
of review that all elements of the plan have been satisfactorily achieved 
and that the audit file has been reviewed by the responsible manager. 

Reporting 

52 The processes leading to the preparation of the audit report and 
subsequent follow-up are described in C3.3. Audit management must 
decide the appropriate method and level of dealing with points arising 
from the audit in accordance with local arrangements. Factors to be 
considered in arriving at an opinion and in making recommendations are 
described in C2.6. 

Appraisal 

53 Subsequent appraisal of the audit should be undertaken so that its 
conduct and value can be assessed. Audit management should ask such 
questions as: How well did staff carry out the work plan? Did they meet 
targets? What obstacles did they meet? In order to assess the validity of 
the plan they will also need to ask: Were the targets realistic? Was the 
time allotted too short or too long, in total or part? Were the planning 
assumptions justified? etc. 

54 A critical review of the performance of the team may reveal deficien- 
cies which should be remedied. This may involve staff training, better 
planning, the use of other techniques, different approach, change in 
management style etc. Audit management should determine any need for 
additional guidance, implications for other audits and the effect on audit 
plans. The view of line management is helpful in assessing audit perform- 
ance and should be encouraged. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 12/83 



C3.4 

Appendix 1 



HEAD OF INTERNAL AUDIT’S PERSONAL RESPONSIBILITIES TO 
THE ACCOUNTING OFFICER 







Standard 


Scope 


ensuring that the AO is aware of the activities 
which should be within the scope of internal 
audit 


Bl.l 




producing an assessment of audit need 


B5.7 


Giving 

assurance 


on the adequacy, reliability and efficiency of 
the department’s internal control system 


B1.5 




that the AO is adequately protected by controls 
over inter-departmental systems 


Bl.ll 




on the work of secondary auditors 


B4.13 


Reporting 


preparing (at least) an annual report of the 
activities of the unit containing his opinion on 
internal control 


B2.7 

B7.16 




significant recommendations which have not 
received adequate attention 


B7.15 


Planning 


submitting (at least) an annual plan for 
approval and giving details of variations from 
earlier plans 


B2.7 

B5.2 

B5.12 


Informing 


where audit resources are inadequate to 
provide adequate assurance 


B5.10 




any limitations placed on the audit unit 


B2.7 



GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Su pplem entary 



1 Audit of developing systems 

2 Audit of shared systems 

3 Audit role In relation to NDPBs 

4 Risk and materiality 



GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.1 



Audit of Developing Systems 



Introduction 

General controls over developing systems 
Evaluation of control in a developing system 
Audit objectivity 

Control of developing systems: Appendix 1 
Typical stages in a developing system: Appendix 2 



GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.1 



Introduction 

1 This chapter describes the internal audit unit’s interest in the develop- 
ment of systems. Its work involves the two distinct but closely related 
activities of auditing management’s general controls over developing sys- 
tems and evaluating the adequacy of controls in particular systems which 
are being developed. 

2 Systems are dynamic, constantly being altered to adapt them to chang- 
ing needs and circumstances. New systems arise, existing systems are 
modified and obsolete systems are closed down or replaced. In consequence 
a department’s internal control system is not constant. The Head of 
Internal Audit needs to take this into account both in planning audit 
work and in considering what assurance he can give to his Accounting 
Officer. 

3 For the purposes of this chapter developing systems include: 

(a) the modification of existing systems 

(b) replacement systems 

(c) new systems 

(d) merger of systems 

(e) closedown of obsolete or redundant systems 

4 Most new developments involve the use of computers which is dealt 
with specifically in Chapters 4 and 5 of the Computer Audit Guidelines. 
Appendix B of the Guidelines includes some useful checklists. 

5 It is vital that the audit unit is credible when dealing with the 
development of systems. Those that are large or technically complex 
require the application of special skills. Auditors faced with auditing 
developing computer systems must, for example, be well versed in appro- 
priate project control methodology. Auditors involved in this work must 
receive specific training to enable them to be effective, for instance in the 
interpretation of appropriate documentation or design specifications. 

6 The Head of Internal Audit should establish standing arrangements to 
ensure that his unit is informed promptly about proposed changes to 
systems so that necessary changes to audit plans can be accommodated 
with minimum disruption. The arrangements should not rely solely on 
information provided by management; members of the audit unit should 
stay alert to developments through normal audit work or formal and 
informal contacts and seeing minutes of meetings etc. The need to be able 
to deal promptly with unexpected changes to systems is one reason why 
there needs to be a contingency margin in a unit’s long and short-term 
plans. 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.1 



General controls over developing systems 

7 A department may have common arrangements for developing systems 
or different arrangements for different types of development. In either 
case, the arrangements form high level controls and the auditor’s opinion 
of them is an important element in his opinion on the internal control 
system as a whole. He needs to be able to say whether developing systems 
are well controlled. The arrangements to be audited are the rules, pro- 
cedures, standards and organisation by which the development of systems 
is managed. Good controls over the development process help to ensure 
successful completion and value for money. 

8 The key aspects of control over developing systems are described in 
Appendix 1. Appendix 2 outlines typical stages in the development of a 
computer system. The development of a system divides into stages with 
management decision points at each stage. The stages would merge for 
minor changes to existing systems but complex new systems would require 
more stages. 

9 The auditor may be able to appraise the adequacy of common arrange- 
ments for developing systems by selecting a few systems, possibly of 
different sizes and at different stages of development, as a sample. If 
special procedures apply to particular projects the auditor should ensure 
that they are adequate and carry out compliance tests to confirm his 
evaluation. If this is done separately from the review of common arrange- 
ments it is essential that lessons of common application are read across. 

10 The review of individual systems in the sample may reveal weaknesses 
in the design of one or more of them. This should prompt the auditor to 
arrange for an appraisal of the system under development. 

11 Where there are no common arrangements, systems development 
controls over individual high risk developments should be evaluated. 

12 The auditor should review the operation of controls by appraising 
them over the stages of development as described in Appendices 1 and 2. 
This will involve, for instance: 

(a) seeing that there is an adequate focus of responsibility 

(b) examining how proposals are appraised and the criteria on which 
projects are authorised 

(c) establishing whether appropriate project design and control methodol- 
ogies are in use and if so whether they are being used as intended 

(d) assessing the process of preparing planning and budgeting forecasts 
and estimates and the use of techniques such as investment appraisal 



Printed image digitised by the University of Southampton Library Digitisation Unit 



01 AM 12/83 



€4.1 



(e) testing that documentation is produced to standard and at the right 
time and is properly safeguarded against loss or mis-use 

(f) satisfying himself that the work of the Quality Assurance group, 
where it exists, is effective otherwise he must examine the supervisory, 
training, and other controls that ensure good quality work 

(g) seeing that management has adequate arrangements for testing systems 
under development and users are involved in it 

(h) looking for evidence of adequate plans for implementation bearing in 
mind the need for careful co-ordination 

(i) examining the results of post-implementation evaluation to see if 
projects are regularly over budget, late or not to specification. 



Evaluation of control in a developing system 

13 There are three main reasons for audit interest in systems under 
development: 

(a) the initial evaluation of controls is better done before the system 
design has been agreed and acted upon rather than afterwards because 
modifications that management decides to make in the light of audit 
recommendations will then cause less disruption and abortive work 

(b) the auditor can take account of expected changes or new systems 
when providing his assurance on the continuing adequacy of the 
internal control system particularly where he knows that new controls 
have been designed but not yet implemented 

(c) some projects are so large and complex that the audit unit needs to 
become familiar with the systems while they are being developed and 
to start to construct audit documentation so that they can be more 
efficient when auditing the live system. 

14 The systems to be audited while under development need to be 
carefully selected during the audit planning process. The factors taken 
into account include: 

(a) the importance of the system once it is live 

(b) the degree of risk in the new system including the extent to which it 
will rely on new or relatively untried equipment 

(c) the cumulative effect of piecemeal changes to an established system 
which may combine to have a significant effect on internal control. 

15 The auditor must try to identify the risks which will affect the system 
and evaluate the adequacy of proposed controls. The auditor will aim to 
complete his evaluation by the end of the design phase. He should 
complete his evaluation and report before there is a moratorium on further 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C4,t 



changes. Any weaknesses he has identified can then be remedied before 
the next phase of the development. As a general rule the earlier he 
questions proposals or makes suggestions the more effective he can be. 

16 The auditor finds out what the proposed control system will be by 
interviewing both systems designers and users and by studying documen- 
tation of the new arrangements e.g. user and systems specifications. In 
creating audit records and files the auditor should avoid duplicating 
management’s documentation. 

17 Both internal and external auditors will want to see features built 
into a system to enable it to be audited easily and effectively. This is 
often achieved through their joint consideration of appropriate projects. 

Audit objectivity 

18 If, exceptionally, an auditor is a member (as distinct from an advisor) 
of a design team he is not acting as an auditor in that capacity. He should 
not be required to evaluate the adequacy of controls in that system. In 
these circumstances the Head of Internal Audit needs to take particular 
care which auditor he assigns to do this (see B2. 10-17). 

19 The audit unit may be under some pressure not to raise objections 
because they may affect the timely implementation of a system particularly 
if it is late in raising them. Such pressures should be resisted: the auditor 
may comment at any stage. 

20 It is for the Head of Internal Audit to decide which projects to audit 
and at what stage. The audit unit should not sign-off a project as this is 
an executive responsibility and differs from its opinion on the adequacy 
of controls. Audit should not be required to report on every project and 
should not become a regular part of the approval process. 

21 Difficulties can usually be avoided by an auditor making it clear to 
management, at the start of his involvement, what his objectives are, the 
timing and nature of his work and how he intends to report. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



OIAM 12/83 



C4.1 

Appendix 1 



CONTROL OF DEVELOPING SYSTEMS 
Organisation 

1 System development should be controlled by 
higher management by ensuring that suitable project 
teams are set up and procedures introduced. Where 
developments are numerous it is common for a 
steering or co-ordinating committee to oversee all 
developments eg project control groups for com- 
puter developments may report to a Departmental 
Information Technology (IT) Committee. Where the 
system is shared, responsibilities of the departments 
involved must be clearly defined as must the respect- 
ive roles of user, developer, finance and top manage- 
ment for all projects. 

The need for systems development 

2 New systems will normally originate at the 
instigation of top management while proposals for 
amendments to existing systems will arise from the 
operational level. In each case there must be a 
justification for the proposed change and authoris- 
ation by the appropriate level of management. 
Reasons for change may include altered objectives 
or the need to achieve the same results in a different 
way. Change may also be prompted by a system 
failing to achieve its objectives efficiently, effectively 
and economically. Procedural changes often fall into 
this category. At this first stage, management may 
authorise work merely to define and classify the 
problem and present outline solutions. 

3 When there are competing demands for system 
development work, management needs a method of 
allocating priorities and choosing projects to tackle. 
A high level steering committee is often used to 
select projects. Decisions should be based on timely, 
accurate and unbiased information and should be 
made at the right level. Where selection of projects 
is delegated to a lower level decisions to go ahead 
with projects should be made only after taking 
account of any other relevant developments in the 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



€4.1 

Appendix 1 

organisation. Benefits of a project should be seen 
in the context of the organisation, not just of the 
instigating division. 

Objectives of the new system 

4 The objectives of the new system should be 
clearly defined, compatible with the needs and objec- 
tives of the organisation and with the needs of the 
ultimate user of the system. Where the initiator or 
developer of the new system is not the user, there 
should be adequate communication and consultation 
to ensure that the system meets the real demands. 
The user should be represented at a sufficiently high 
level for his views to be taken into account. 

Formulation of possible solutions 

5 Several solutions should be developed to allow 
appraisal and selection of the best. Proposed solu- 
tions should be measured against the objectives of 
the system and, in the wider context, the departmen- 
tal objectives. Alternatives such as developing the 
system or buying a ready made solution should be 
explored. 

Evaluation and selection of solutions 

6 Appropriate appraisal techniques should be used 
and advice obtained from specialists where needed. 
Treasury guidance on investment appraisal should 
be followed. Because decision making involves bal- 
ancing many conflicting factors and making assump- 
tions based on limited information managers may 
make different decisions in any given circumstances. 

Organisation and control of the design process 

7 It is the responsibility of the authorising body to 
appoint a key person to control each stage of the 
project. To maintain control the development will 
normally be sub-divided into manageable stages, 
each terminating with an end-product, usually a 
report or documentation linked to completion of a 
process (eg installation of equipment). Estimates of 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.1 

Appendix 1 



time and resources must be produced. There should 
be report-back at the end of each stage before 
authorisation is given to proceed to the next stage. 
If necessary, projects can be abandoned or modified 
at any decision point. Consultation with interested 
parties, eg internal audit, should be programmed 
into the plans. 

8 Standard project design and control method- 
ologies have been devised for computer projects, eg 
PROMPT II (Project, Resource, Organisation, 
Management, Planning, Techniques) is a mandatory 
standard for many types of system development and 
procurement. SSADM (Structured Systems Analysis 
and Design Methodology) is similarly the standard 
for systems analysis and design. 

9 If a standard methodology cannot or is not 
adopted suitable alternative plans and procedures 
should be applied. The aim is to ensure that the 
systems which are developed are to specification, on 
time, within budget and meet the needs of the user 
and the organisation. 



Quality assurance 

10 It is becoming common to have a quality assur- 
ance (QA) function which monitors system develop- 
ment and reports deviations from standards eg it is 
a key element in PROMPT. QA may also have an 
enforcement role. If QA does not exist the super- 
vision, training and other controls must ensure good 
quality work. 



Testing by producer and users 

11 Testing the new system at the end of the pro- 
duction stage is often performed in two parts. First 
the system producer tests to make sure that it oper- 
ates as he envisaged it should. Next the ultimate 
user of the system tests it, or arranges for it to be 
tested according to his specifications, to ensure that 

OI AM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.1 

Appendix 1 

his requirements have been correctly interpreted and 
translated. Testing should be comprehensive and 
adequately documented. 

12 In computer systems testing should be extensive. 
Chapter 18 of the Computer Audit Guidelines 
describes the use of test data by auditors. Testing 
facilities which may be required after the system 
goes live must be specified early in development, 
normally as part of the user requirement. 

Implementation 

13 The implementation phase includes many 
parallel streams that need careful co-ordination by 
management eg training staff, converting files, mak- 
ing ready equipment and accommodation. In major 
projects techniques such as network analysis, bar 
charts etc will be used. The risk of the new system 
failing can be mitigated by parallel running or pilot 
running. 



Post implementation evaluation 

14 Once the new system is operational and any 
initial problems have been overcome management 
should review the project to see if it has brought 
the expected benefits. Management can decide 
whether changes to the system are needed or in cases 
of serious malfunction whether the system needs to 
be closed down. The evaluation can reveal any faults 
in management’s arrangements for developing sys- 
tems. 



Documentation 

15 Documentation is used as an aid to progressing 
and controlling development and as a means for 
making maintenance of systems easier after 
implementation. It is valuable and must be safe- 
guarded against loss. In some cases the information 
is sensitive and access should be restricted. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 12/83 



C4.1 

Appendix 2 

TYPICAL STAGES IN A DEVELOPING SYSTEM overleaf 

for a computer project 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.1 



TYPICAL STAGES IN A DEVELOPING SYSTEM 
for a computer project 




RESULTS 

Terms of reference aims and 
objectives, boundaries 



Feasibility report recommended 
solution 



Resource plBns 
Technical plans 
Broad specification 



Logical system design 



Operational requirement 
(it required) 

Physical system design 



The system 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 12/83 



€ 4.1 

Appendix 2 



COMMENTS 



Project board 

P 

Project board 

Project board 

Project board sign-off 

Project board 
IT Committee 




GIAM 12/83 



Cont.^ 

from 

previous 

page 



Install equipment 
(if required) 




IT committee sign-off 

X 



Maintain and operate 
system 



C8pk« 1 project or correct 
equipment installation 



Cancel project or revise 
and retest system 

tzzzzi: 



Cancel project 
or revise system 

r~~ ~ 



Abandon or 
revise system 

~ — cz 



Abandon or revise system 
review project Control methods 



RESULTS 



Test results and documentation 



Post-implementation 

evaluation report 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.2 



Audit of Shared Systems 



Introduction 
Responsibilities 
Joint audits 

Identification of shared systems 



GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4*2 



Introduction 

1 “Some systems are used by more than one department and a depart- 
ment may be responsible for identifiable components of a system, use 
data produced by another’s system, or carry out functions on behalf of 
others. The Head of Internal Audit should satisfy himself that the 
responsibilities for such systems have been identified and agreed, and that 
the internal controls and internal audit arrangements adequately protect 
his Accounting Officer” (B 1.11). 

2 This chapter gives guidance on the audit of such systems. They involve 
a large range of relationships between the departments concerned which, 
for the purposes of internal audit, can normally be expressed in terms of 
the respective responsibilities of the Accounting Officers. 

3 For example, the Paymaster General’s Office (PGO), provides elements 
of a banking service for nearly all government departments. Each depart- 
ment issues payable orders or other instruments drawn on its accounts at 
the PGO. The department is responsible both for these processes and the 
subsequent recording of expenditure in the Appropriation Accounts. It is 
also responsible for sending details of payment instruments issued to the 
PGO. The PGO is responsible for reimbursing banks from government 
funds and for notifying departments of payable orders cashed. 

4 However, in a case such as the Civil Superannuation system operated 
by the same department, preparation of input in terms of pension awards 
is the responsibility of individual departments. But their subsequent pro- 
cessing, payment, recording and accounting is the responsibility of one 
department, in this case, the PGO. 

5 Payroll is an example that combines the elements of a shared system 
in another way. A payroll centre may do a larger or smaller part of the 
detailed work to calculate an individual’s pay, depending on the range of 
services it agrees with the user department that it should provide. But, 
however complete the service, responsibility for the actual payroll remains 
with the employing department. 



Responsibilities 

6 Underlying all the differences of detail that there are between shared 
systems is the supplier/user relationship. For audit purposes the crucial 
need is clarity about who is responsible for what in that relationship. 
Otherwise there is a danger that each auditor may assume that a control 
is being appraised by another. 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



€4.2 



7 When a department uses the services of another it needs to be satisfied 
that it is getting a good service founded on adequate systems which are 
subject to appraisal by internal audit. It thus relies on the work of the 
provider’s internal audit unit in assuring the quality of its own internal 
control system. 

8 The coverage of changes to systems, and new systems, should be 
cleared between HIAs in order to sustain assurance to their Accounting 
Officers. 

9 In some cases, departments are under central instruction to rely on 
controls within another. For example, departments are not expected or 
required to check the basis of PSAs scales of charges but they should 
satisfy themselves that they have received the goods and services for which 
they are charged (DAO 4/83). Hence the auditor in a customer department 
should not recommend controls which duplicate those elsewhere. 

10 Situations may arise where the system objectives of the departments 
concerned in a shared system differ, thus affecting their respective audit 
approaches. Furthermore, though it will not normally be necessary to 
define control objectives separately for each department, they may some- 
times face different risk exposures, and thus require specific control 
objectives. In either case, secondary auditors (B4.13) may need to under- 
stand the particular requirements of Accounting Officers other than their 
own. 

11 Meetings may be necessary to discuss progress and problems which 
may have implications for either auditor. Secondary auditors may need 
to make their files and working papers available to the HIA (B4.15), who 
should review as necessary the work carried out (B4. 17-18). He will 
usually require some familiarisation with the methods of the secondary 
auditors. 

12 It is unlikely that any review of the work of other auditors would 
extend beyond an examination of the files and working papers. If he had 
suspicions as to the quality of work performed the HIA should raise the 
issue with his counterpart. 

13 In planning the audit work necessary for shared systems, the auditors 
in each user department should bear in mind how far they can share 
others experience and documentation such as audit programmes, ICQ’s, 
etc. 

Joint audits 

14 On occasion user and provider, or several users, may decide to field 
a joint team of auditors or have a joint audit to examine a system as a 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.2 



whole regardless of the departmental boundaries. It is important in such 
a case to ensure that all the HIA’s concerned have access to the relevant 
results of the audit. 

15 Early agreement will be necessary in a joint audit to agree the working 
methods and documentation to be used. The composition of the team will 
need consideration; thus if one unit is providing most of the staff, 
particularly trainees or inexperienced members, it may be preferable to 
adopt that unit’s practice even if it is not that of the team leader. 

Identification of shared systems 

16 The auditor should adopt the same criteria in identifying shared 
systems as outlined in C2.2. They will normally be identified through 
manuals or desk instructions as receiving input from, and/or distributing 
output to, one or more other departments. Identical manuals etc may be 
used by different departments. Where these are non-existent or inadequate 
the auditor may need to rely on discussions with staff, or his knowledge 
of known similarities, to identify such a system. 

17 If an auditor is in doubt as to whether he is faced with a shared 
system, he should treat it as unique to his department and audit on that 
basis. 

18 Heads of Internal Audit involved should ensure that there are up-to- 
date records of shared systems, and that they are confirmed or amended 
regularly. 



OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.3 



Audit r»'>'ie in relation to Non- 
Departmental Public Bodies 



Introduction 

Appraisal of departmental arrangements 
Providing an interna! audit service to NDPBs 



GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.3 



Introduction 

1 The purpose of this chapter is to clarify the responsibilities of a 
sponsoring department’s internal audit unit with regard to a department’s 
dealings with its non-departmental public bodies (NDPB’s) and to provide 
guidance about how these responsibilities can be carried out. 

2 The public sector contains a great variety of bodies apart from 
government departments and local authorities. In every case a Minister 
looks to the bodies he sponsors to be effective, efficient and economical 
in the conduct of their affairs. His department needs appropriate arrange- 
ments to follow through his interests which will depend on, for example, 
the function of the NDPB, why it was set up and the scale of its activities. 
Departments aims and objectives in this area, and therefore their arrange- 
ments and procedures, are developing. The internal auditor needs to 
understand these aims and objectives in order to appraise current arrange- 
ments. 

3 A guide issued by the Management and Personnel Office ‘Non-Depart - 
mental Public Bodies: A Guide for Departments’ contains advice on good 
practice and prescribes certain actions that are binding on a sponsoring 
department. Internal auditors in departments concerned with NDPBs of 
types covered by it should keep up-to-date with its contents. Relations 
with individual nationalised industries, the National Health Service and 
some other bodies are not included in the Guide. 

4 The main task of the internal audit unit is to appraise the adequacy 
and effectiveness of the department’s systems for its dealings with its 
NDPBs. This may involve some work within NDPBs (see BI.7). The 
unit’s terms of reference may also provide that it should examine specific 
activities within NDPBs and/or participate in, or undertake, periodic 
reviews or other examinations. 

5 When an NDPB does not have an internal audit unit, arrangements 
may be made for the sponsoring department’s internal audit unit to 
provide an internal audit service on an agency basis. 



Appraisal of departmental arrangements 

6 A decision that a function shall be carried out by an NDPB is a 
recognition that the body should have a degree of independence from 
government. The right balance has to be found between this and the 
government’s continuing interest in both its functions and its performance 
of them. Internal Audit is concerned with the adequacy of a department’s 
arrangements for setting up any new NDPBs; for servicing existing NDPBs; 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



<J4.3 



for monitoring and controlling them; for reviewing the continued need 
for individual NDPBs; and for winding them up. 

7 These arrangements should ensure that: 

(a) An NDPB is created only where this is the most appropriate way to 
do the job; its status, powers and organisation will enable it to operate 
well; the department has an appropriate level of control, right of 
access, and procedure for dissolving the body. 

(b) The form of funding is appropriate and the systems for regulating 
the flow of funds are adequate. 

(c) Appropriate objectives and targets are set and that there are adequate 
mechanisms for monitoring and controlling. 

(d) The department is capable of providing advice and assistance as 
required on matters such as staffing, management and financial 
systems, internal audit and legal affairs. 

(e) The department monitors the performance of an NDPB in providing 
an efficient, effective and economical service against agreed standards. 

(f) The department reviews regularly the purpose of and continuing need 
for an NDPB. 

(g) The department receives and uses the information it needs to exercise 
its responsibilities. 

8 In evaluating the effectiveness of its department’s procedures internal 
audit may have to examine activities within NDPBs. For example, internal 
audit may wish to test the soundness of the relevant sponsoring division’s 
opinion that arrangements for financial control within an NDPB are 
adequate. To do this it would need to appraise financial control arrange- 
ments in the NDPB. 

Providing an internal audit service to NDPBs 

9 Some NDPBs are too small to warrant their own internal audit unit 
and may choose to seek help from the sponsoring department. If so the 
following are some of the issues to be taken into account (see Bl.7-8). 

10 Time spent auditing an NDPB is time taken from auditing the 
department’s own systems. A unit’s first responsibility is to provide 
assurance to its Accounting Officer on his department’s internal control 
system. Additional commitments should be undertaken only if they do 
not adversely affect coverage of the department’s systems. 

11 An initial exercise to assess audit need should be carried out so that 
agreement can be reached with the body about the time required. This 
should be agreed in advance of each period’s audit activity. 

OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.3 



12 When the unit acts as internal auditor to one of its department’s 
bodies it normally reports to the body and not its own department. 
Reporting arrangements and rules about confidentiality must be agreed in 
advance. 

13 If the cost of the service is likely to be significant agreement must be 
reached with the body about repayment. Points to be agreed include costs 
to be recovered, method and timing of payments and any implications 
for the department’s funding of the NDPB. 

14 The decision to provide an internal audit service on an agency basis 
could result in a loss of objectivity by the sponsoring department when 
appraising the NDPB’s internal control system (of which internal audit is 
a part). It might, for instance, be less ready to criticise such an internal 
audit service. To lessen this risk it is essential that an auditor involved in 
any such review is not one of those used in providing the agency service 
to the NDPB. 



GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€4,4 



K sk and Materiality 



Introduction 

Definitions 

Uses 

Risk index 

Judgemental comparison 
Monetary effect 

A simplified risk index: Appendix 1 
Risk index elements: Appendix 2 
A comparison of risks/components: Appendix 3 



OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€4.4 



Introduction 

1 This chapter describes risk and materiality. It onlines some general 
techniques for analysing risks and shows how the results can be applied 
in audit planning and in individual audit assignments. 

2 Risk analysis is based essentially on subjective judgement but various 
techniques can be used to make the analysis more systematic and in part 
more objective. Three techniques are described with guidance on their 
application. Use of them will strongly support the auditor’s judgement 
on the priority and frequency of audits. They can also help to identify 
areas of high exposure which might otherwise not have been identified. 



Definitions 

3 Risk can mean the chance or likelihood of an event, desirable or 
undesirable (variability risk) or the possibility that events will turn out 
less well than expected (optimistic bias). In this chapter risk is used in the 
sense of variability risk and more specifically downside variability risk, ie 
the likelihood of an undesirable event. The chance of fire in a warehouse 
is one example. Other unwelcome occurrences include failure to make 
efficient and economical use of resources, failure to achieve objectives, 
safeguard assets and comply with policies and procedures. 

4 Risk in the sense of optimistic bias will be present when the auditor 
tries to estimate the likelihood of unwelcome events or when he makes 
assumptions during the formulation of recommendations. The consequence 
of an unwelcome occurrence can usually have a monetary value put on it. 
It may also have other consequences. Exposure is a measure of risk and 
cost. It can be expressed as: 

exposure = risk x cost of the consequence 

where risk is the probability that an event will occur. None of these is 
fixed and an audit report may well make recommendations for reducing 
them. 

5 Materiality means relative importance or significance. It may be stated 
as a monetary value but this can be insufficient: non~monetary conse- 
quences can be very material. In addition to absolute monetary value 
some other indicators of materiality are: 

fraction of the total at risk 
importance of an item to achievement of goals 
contribution of an item to maintaining adequate control 
extent of embarrassment to Ministers or the public service. 

OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.4 



6 Materiality may combine both monetary and non-monetary effects. 

For example, the safeguarding of dangerous drugs might be material not 
only because of the cost of replacing them but because of what could 
result from their loss. Deciding what is material is a subjective judgement 
particularly when applied to intangibles such as embarrassment. 

7 Risk analysis is a tool and the results should be used as an aid to 
judgement. The models and approaches should be tested for sensitivity 
before they are used and refined as experience is gained or circumstances 
change. Use of risk analysis should result in documentation to be retained 
as a record of how decisions on priorities were made. 

Uses 

8 Risk analysis enables the auditor to evaluate exposure by taking 
account of the probability of events occurring and the cost of the 
consequences. There are three approaches and these enable the auditor to 
prepare different assessments of exposure — a numerical rating of exposure 
(risk index technique), comparative exposure (judgemental comparison) 
and actual exposure (monetary effect). 

9 Risk analysis is primarily used to assess priorities during audit planning. 
The sophistication of the techniques the auditor chooses to employ will 
depend upon the required accuracy and order of priority. His existing 
knowledge of systems in the department and the amount of research he 
can undertake will also determine the approach. Ranking systems can be 
a simple assessment based on limited knowledge or a detailed evaluation 
of exposures and controls in individual systems. If he opts for a simple 
assessment of systems the results of subsequent audits can be used for 
improving the base of knowledge. 

10 For assessing priorities the calculation of risk indices is probably the 
most useful approach. Risk analysis can also be used during an audit to 
help highlight the need for controls. Judgemental comparisons and the 
calculation of monetary values will normally be used at this stage and 
can give an upper value for the amount to spend on controls to reduce 
the estimated exposure. The benefits of reducing exposure must be weighed 
against the cost so that excessive control can be avoided. Further guidance 
on making comparisons between costs and benefits is given in the Treasury 
booklets on Investment Appraisal in the Public Sector. 



Risk index 

11 A risk index provides an approximation to a measure of exposure, 
which avoids the need to put explicit values on either risk or cost, as 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€ 4.4 



defined in paragraph 4. It provides a way of combining the characteristics 
or elements of a system only some of which have monetary values. In 
calculating the index the auditor can assign different weights to each of 
the elements he is combining to incorporate his judgement of their relative 
importance in terms of risk and materiality. 

12 The major use of risk indices is in ranking systems during planning 
to guide the auditor’s judgement in deciding priority and frequency of 
audits. An illustration of a simplified risk index is given in Appendix 1. 
Some commonly used types of elements are listed in Appendix 2. 

13 Early in the audit needs assessment the auditor will identify the 
systems to be ranked into order of priority. He must choose the elements 
of these systems which have an effect on the likelihood or consequence 
of risks and combine them into a formula which can be applied to the 
whole range of systems. 

14 An important element might be the existence of attractive and portable 
items within a system which would call for strong protective controls. A 
system incorporating such items would have higher risk and should be 
ranked accordingly. Other frequently used elements include the value and 
volume of transactions flowing through a particular system, the complexity 
of the system, and any judgement available from previous audits about 
the adequacy of controls in it. 

15 The procedure for converting elements into a common points system 
is normally straightforward. It is recommended that the auditor uses a 
common range of points for scoring all elements, eg 1-5. This allows him 
to concentrate on the more difficult task of deciding what weighting 
factors to apply to each element. 

16 In allocating weights the auditor judges between the relative signifi- 
cance of different elements as they are likely to apply to the systems. For 
example, he may consider that income is generally more of a risk than 
expenditure because the timing of income is less predictable and therefore 
less controllable by management. Thus the auditor might weight income 
higher than expenditure. 

17 The value of transactions might be thought to be less of a risk than 
their number because a large variation in amounts might be noticed 
whereas the chance of things going wrong is more directly proportional 
to the number of transactions. 

18 Organisational elements such as the effect of one system on another 
or on a range of sub-systems might be weighted higher than elements 
which apply only to the system in question. Similarly systems which have 
far-reaching effects on future decisions eg forecasting or research and 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€ 4.4 



development might be weighted higher than systems whose effect is more 
immediate. 

19 The auditor combines the elements and weighting factors into a 
formula which can be used to calculate the risk index. In choosing 
weighting factors the auditor must avoid introducing unfair bias into the 
formula. There are many ways to combine the elements, for example: 

Risk index = Aa + Bb + Cc + Dd + Ee + Ff 

where A-F are elements and a-f are weighting factors for elements A-F. 

20 The final stage is to apply the formula to each system by awarding 
points and calculating the risk index. 



Judgemental comparison 

21 The main use of this approach is within an audit when it helps an 
auditor to identify areas of high risk or exposure. This can help him 
decide the extent of coverage and the parts of a system which merit most 
attention. Further into the audit its use is in organising the material the 
auditor has assembled in order to evaluate controls. It can be used in 
planning but it is less objective than use of risk indices. Planning decisions 
are more difficult to justify if judgemental comparison alone is used. 

22 In reviewing a system the auditor identifies its component parts and 
the risk to which they may be subject. The effect, if any, of each risk on 
each component is then considered. He attempts to decide a simple ranking 
by comparing each risk with every other risk in turn at each stage deciding 
which of the two risks is the greater. He then ranks the component parts 
of the system to show which parts he feels most concerned about given 
his present knowledge of the system as outlined in Appendix 3. 

23 The auditor is now in a position to draw a matrix which relates risks 
with components. Each box in the matrix represents the effect of a risk 
acting on a component in the system. The top row of the matrix is filled 
by inserting the risks in ranked order from left to right. The left hand 
column of the matrix is filled by inserting the components in ranked order 
from top to bottom. He can now allocate a serial number to each control 
and record it in the appropriate box. Each box then shows a risk to a 
component of the system and the controls which prevent or mitigate the 
risk. 

24 The box in the top left hand corner of the matrix represent the most 
likely risks to the component of most concern. The auditor will want to 
pay particular attention to these high risk areas to satisfy himself that 
control is adequate. The matrix can also help him identify the key controls 

GIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€4.4 



on which he will want to place most reliance, eg where only a single 
control exists to mitigate a risk or where the same control appears in 
many positions in the matrix indicating a control with broad application. 

25 By helping to identify the importance of controls the matrix can help 
him decide the level and scope of testing. More information on the use of 
control matrices, particularly in relation to computer systems, is given in 
‘Designing Controls into Computerized Systems’ by Dr Jerry Fitzgerald 0) . 

26 To assist him in making judgements about the relative sizes of 
different risks the auditor may want to ask other experts to help him. He 
will want to listen to management’s views. Consultation should help him 
make better and more credible judgements. 

Monetary effeet 

27 Up to this stage the auditor will probably have been content to use 
judgemental estimates of risk and cost. When he reaches the stage of 
making specific recommendations he may feel the need to convert his 
judgements about extent of exposure into monetary values. On this basis 
he has to try and formalise his estimates of the probability of risk and 
costs. 

28 The auditor is most likely to use this approach to help him formulate 
recommendations for improvement in control bearing in mind the need 
for them to be cost-effective. The aim is to calculate exposure in a system 
by identifying each risk and estimating its probability and the cost of its 
consequences. Past performance, evaluation of other relevant controls and 
statistical analysis may be used in assessing the monetary effect of risk. 
Information on costs must also be taken into account. The auditor may 
also need to consider non-monetary consequences. 

29 If exposure is calculated the auditor can formulate better his rec- 
ommendations for reducing it. Risk and the cost of consequences can 
both be reduced or avoided. He should consider the materiality of exposure 
when reporting. The auditor may consider it to be immaterial but line 
management’s perspective could be different and he should not pre-judge 
their attitude. Management might want to reduce exposure even though 
in pure cost-benefit terms it would not appear to be justifiable. Conversely, 
management may be prepared to accept a level of exposure. 



(1) Published by J Fitzgerald and Associates: 1981. ISBN 0-932410-36-7, 

OIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



€ 4.4 

Appendix 1 



A SIMPLIFIED RISK INDEX 





Materiality of element 


Weighting 

factor 


Element 


Scale of 
measurement 


Points 

rating 


A Volume of trans- 


0-1,000 


1 




actions 


1,000-10,000 


2 






10,000-100,000 


3 


1.5 




100,000-lm 


4 






Over lm 


5 




B Value of trans- 
actions 


£0-10,000 


1 






£10,000-100,000 


2 






£100,000- lm 


3 


1 




£lm-£10m 


4 






Over £10m 


5 




C Opportunity for 


Difficult to easy 


1-5 


2 


conversion 









Notes 



1 In this simplified example three system elements are used, 
each with a points rating of 1-5 but with different weighting 
factors. The auditor has made the assumption that a high volume 
of transactions is generally more of a risk than a high value 
oftransactions, eg a large number of low value transactions is 
more risky than a few high value transactions even though the 
total value might be less. Thus the auditor is assuming that high 
value transactions are as a rule relatively well controlled. Oppor- 
tunity to convert assets to cash is rated even more highly with a 
weighting factor of 2. 

2 The formula used here is: 

Risk Index = (A x 1 .5) + B + (C x 2). 

3 Examples of use: 



GIA.M 12/83 





Value 


Points Weighting Weighted 
Value 


Volume of trans- 


500 


1 


1.5 


1.5 


actions 










Value of trans- 


£50m 


5 


1 


5 


actions 










Opportunity for 


average 


3 


2 


6 


conversion 










Risk Index ~ 








12.5 



continued overleaf 



Printed image digitised by the University of Southampton Library Digitisation Unit 



€ 4.4 

Appendix 1 



3. Examples of use: continued 



Volume of trans- 


5m 


5 


1.5 


7.5 


actions 

Value of trans- 
actions 


£50m 


5 


1 


5 


Opportunity for 
conversion 


average 


3 


2 


6 


Risk Index = 








18.5 


Volume of trans- 


50,000 


3 


1.5 


4.5 


actions 

Value of trans- 


£500,000 


3 


1 


3 


actions 

Opportunity for 


average 


3 


2 


6 


conversion 










Risk Index = 








13.5 


Volume of trans- 
actions 


500 


1 


1.5 


1.5 


Value of trans- 
actions 


£50m 


5 


1 


5 


Opportunity for 


easy 


5 


2 


10 


conversion 










Risk Index = 








16.5 



Printed image digitised by the University of Southampton Library Digitisation Unit 



CHAM 12/83 



C4.4 

Appendix 2 



RISK INDEX ELEMENTS 
Financial 

Value of transactions 

Volume of transactions 

Value of income 

Value of expenditure 

Capital employed 

Proportion of vote 

Opportunity for conversion to cash 

Systems characteristics 

Organisational factors — number of staff, 
supervisor to staff ratio etc. 

Complexity of the system 

Stability of the system— tendency to or likelihood 
of change 

Special elements unique to the system 

Scope and effect of the system 

Effect of system on future events and decision 
making 

Effect of system on other systems 

Management and control 

Staff morale — speed of staff turnover 
Quality of internal control within the system 
Amount of control over the system exerted by 
other systems 



OIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.4 

Appendix 3 



A COMPARISON OF RISKS/COMPONENTS 

1 Risks are identified and listed in boxes down the 
left and right sides of a grid. An identifying letter 

is allocated to each risk. 

2 Each box in the matrix allows a comparison to 
be made between the risks in the corresponding row 
and column. In this example the top box(*) shows 
the comparison between error and fraud. The box 
below(**) compares error with breach of privacy. A 
code letter is allocated to each risk. 



Error 

A 


Error 






Fraud 

B 


* 


Fraud 






Breach of 
Privacy 

c 


* * 




Breach of 

Privacy 




Breakdown 

D 








Breakdown 




Loss of 
Data 

E 










Loss of 
Data 



3 Each risk is compared with every other risk and 
at each comparison a judgement made on the relative 
probabilities of the two risks ignoring as far as 
possible the existence of controls. The code letter of 
the greater risk is entered into the appropriate box. 
If the two risks are judged equal then both letters 
are entered. 

Comparison of risks 

4 Once all boxes have been completed a score for 
each risk is obtained by counting the number of 
times the code letter occurs, for example: 

GIAM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



C4.4 

Appendix 3 



Error 


Error 








Fraud 


A 


Fraud 






Breach of 
Privacy 


A 


B 


Breach of 
Privacy 




Breakdown 


D 


D 


D 


Breakdown 




loss of 
Ocita 


A 


E 


E 


D 


loss of 
Data 



5 The auditor can now arrange the risks into 
descending order of scores, giving him a list of risks 
in order of probability. Thus D = 4 E = 2 etc: there- 
fore breakdown is assumed to be the highest risk. 

Comparison of, components 



6 Using the same comparison method, components 
can be ranked into the order of the auditor’s concern 
about them, for example: 



People 

A 


People 








Transactions 

B 


A 


Transactions 






Input 

Procedures 

c 


A 


B 


Input 

Procedures 




Terminal 

Equipment 

D 


A 


B 


c 


Terminal 

Equipment 




Computer 

Hardware 

E 


A 


B 


E 


E 


Computer 

Hardware 



Thus A = 4 : D = 0 etc. 



Printed image digitised by the University of Southampton Library Digitisation Unit 



OIAM 12/83 



€4.4 

Appendix 3 



Relating risks or components to controls 

7 The components are listed down the left side of 
a matrix and risks entered across the top in ranked 
order. The controls identified in a system are serially 
numbered and related to appropriate risks/com- 
ponents. 




8 This example shows some of the most common 
risks and components and a few controls. In practice 
more would be included although this would depend 
on the size and complexity of a system. 



OI AM 12/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



DIGEST 



This digest contains ready reference material. Some 
of the terms used by internal auditors are described 
in the glossary which is referenced to other parts of 
GIAM and to selected publications. 

Books and articles which provide useful sources of 
reference on the practice of internal auditing are 
included in the bibliography. This does not designate 
or recommend standard texts. 



Glossary 

Bibliography 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



ox 



Glossary 



References to Sections A-C: B5, B6 etc. 
References to Section D Bibliography: C3, J1 etc. 



Access control A control which pre- 
vents, restricts or detects access; usually 
referring to computer programs, files, 
records, hardware, documentation and 
stationery. C3, J1 

Accountancy terms See HMSO Glos- 
sary of Accounting Terms 

Algorithms A decision path analysis 
indicating alternative courses of action. 

Applications audit The audit of a com- 
puterised application which considers 
any discrete process, operation or 
system comprising both manual and 
computerised components. C3 

Attribute sampling Random sampling 
used to estimate the proportion of items 
in a population which have the charac- 
teristic or attribute of interest. M2, 

R2, S3 

Audit assurance The opinion provided 
by auditors to management on the 
extent to which reliance may be placed 
on internal controls as a result of audit 
evaluation and testing of those 
controls. HI 

Audit enquiry program See interrog- 
ation package 

Audit evidence B6, HI 

Audit indicator Any data or infor- 
mation directing the auditor’s attention 
to an area of activity. 

Audit planning B5, S3 

CHAM 1/83 



Audit software Purpose written com- 
puter programs, packages, utilities, 
interrogation facilities, modified pro- 
duction programs and embedded audit 
modules. C3, J1 

Auditability survey Consideration of 
whether a system provides adequate and 
accessible audit trail. Normally dealt 
with as part of the audit of computer 
systems development; it seeks to estab- 
lish that the system will be auditable in 
practice. C3 

Audit trail The identifiable and 
recorded path of documents or trans- 
actions through a processing system. 

CAATs Computer assisted audit tech- 
niques, used as evaluation and testing 
aids, which are facilitated by computer 
processing. C3, J1 

Code comparison program Used to 
compare copies of programs or data 
files to identify differences. For example 
an auditor may compare authorised cop- 
ies of computer programs with oper- 
ational versions. C3 

Compliance auditing Auditing those 
internal controls designed to ensure 
adherance to prescribed procedures, 
regulations or plans; sometimes known 
as regularity auditing. 

Compliance testing Testing to provide 
audit evidence that the controls identi- 
fied within a system are functioning. 

S3, HI 



Printed image digitised by the University of Southampton Library Digitisation Unit 



D1 



Confidence level A mathematically 
based term, used in statistical sampling, 
measuring the probability attached to 
the result of a random sample. M2, 
R2, S3 

Controlling B5 

Control objectives The management 
control objectives which a system is 
designed to meet and by which internal 
control may be evaluated. M8 

Current audit file A file of documents 
established for and maintained during 
an audit. 

Detailed audit programme The detail- 
ed work to be undertaken on an audit 
assignment including objectives. S3, 
C4 

Detective control A control designed 
to detect error, irregularity, or contra- 
vention of management’s directives. 

Discovery sampling A random sam- 
pling procedure which determines, with 
a given probability, whether a certain 
condition, eg error, exists; sometimes 
called exploratory sampling. M2, S3 

Dual purpose testing Testing to 
provide audit evidence satisfying both 
compliance and substantive test 
requirements. HI 

Exception A deviation from the pre- 
scribed system of internal control not 
necessarily resulting in error. 

External Auditor An auditor who 
gives an opinion on financial statements 
over a specified period. The statutory 
duty of the Comptroller and Auditor 
General, as external auditor in central 
government, is to provide an indepen- 
dent assurance for Parliament regarding 
the accuracy of accounts prepared by 
departments, and on the regularity of 
expenditure recorded therein. B9 



Financial auditing Historically 
oriented audit on the accuracy and 
reliability of financial data enabling an 
opinion to be expressed on financial 
statements . B 1 , L2 

Flowcharter A software package 
which analyses a program to produce a 
flowchart automatically. Used by audi- 
tors to assist in the understanding and 
documentation of computer programs. 

Flowcharting A diagramatic method 
of recording and describing a system 
showing the flow of documents and 
controls within that system. R3 

Fraud R8 

Independence of internal audit B2 

Information retrieval program See 
interrogation package 

Installation audit Audit of a computer 
centre usually including evaluation of 
organisational, file, software, contin- 
gency, and operational security 
controls. C3, J1 

Integrated audit monitor See resident 
audit program 

Integrated test facility (ITF) Where a 
system has been programmed to recog- 
nise test data amongst live data and to 
process it accordingly. Designed so that 
the auditor can test processing controls 
by inputting test data without corrup- 
ting files, reports or normal 
processing. C3, Jl, S5 

Internal check The checks on trans- 
actions which operate continuously as 
part of the routine system; for example 
the work of one person may be proved 
independently by, or be complementary 
to, the work of another. The object is 
the prevention, or early detection, of 
error and irregularity. C4, M8 



Printed image digitised by the University of Southampton Library Digitisation Unit 



01 AM 1/83 



D1 



Internal control system The whole sys- 
tem of controls, financial and otherwise, 
established by management in order to 
carry on business in an orderly and 
efficient manner, ensure adherence to 
management policies and directives, 
safeguard assets and secure as far as 
possible the completeness and accuracy 
of records. C4, M8, S3 

Internal control questionnaire (ICQ) 

A list of questions used by internal 
auditors to assist in the evaluation of 
internal controls and related to control 
objectives. S3, B1 

Interrogation Package A general pur- 
pose computer program for reading data 
files and generating reports where the 
file format, record selection and report 
format are normally specified by para- 
meters. Own-coding can be incorpor- 
ated to facilitate interrogation of files 
with complex record formats, extend 
selection criteria, introduce processing 
and enhance report formats. C3, J1 

Judgement sampling Selecting a 
sample of items for audit testing based 
on the auditor’s belief that they are 
representative or that they will yield 
audit evidence confirming conclusions. 
Sometimes called purposive 
sampling. S3 

Logic path analysis program A com- 
puter program which converts an oper- 
ational program into a structure 
diagram or flowchart for audit examin- 
ation. C3, J1 

Management auditing A forward 
looking evaluation by internal auditors 
of management activities to improve 
organisational economy, efficiency and 
effectiveness through improvements in 
the performance of the management 
function. B2, 15 

CilAM 1/83 



Mapping An addition to a computer 
program which analyses the frequency 
of execution of different parts of that 
program. Examples of use by internal 
auditors include identification of 
unauthorised changes to the program or 
errors. C3 

Materiality The extent of consequence 
associated with identified risk. HI 

Monetary unit sampling Random sam- 
pling which ensures that the chances of 
selection of each item to be tested 
increase with the value of that item. S3 

Normative auditing See parallel simu- 
lation 

Operational auditing A forward look- 
ing evaluation of operations by internal 
auditors to identify areas in which econ- 
omy, efficiency and effectiveness may 
be improved or to evaluate compliance 
with, and adequacy of, operational poli- 
cies, plans and procedures. Bl, 15, 16, 
LI 

Own-coding Instructions programmed 
by an auditor which are incorporated 
into an interrogation program or utility. 
Own-coding is used to tailor a software 
package or program to the auditor’s 
specific needs. C3, J1 

Parallel simulation A model system 
which simulates an application, or part 
of it. Large quantities of live data can 
be applied to a model and output com- 
pared with output from the live system, 
or with the auditor’s predicted results. 
C3, J1 

Permanent audit file A file of docu- 
ments to be used on future audits or 
for reference. C4, S3 

Population A term used in statistical 
sampling to describe all the items or 
data under investigation. The whole 
body of data which the auditor wishes 
to investigate. M2, R2, S3 



Printed image digitised by the University of Southampton Library Digitisation Unit 



D1 



Precision limit A mathematically 
based term used in statistical sampling 
to express variation from the best esti- 
mate resulting from a random 
sample. M2, R2, S3 

Preventive control A control designed 
to prevent error, irregularity or contrav- 
ention of management’s directives. 

M8 

Procedural control A control which 
functions as a part of the routine pro- 
cedures within an operation. M8 

Professional care B4 

Program auditing Inspecting a com- 
puter program listing to check on the 
way a procedure has been programmed 
or to test compliance with programming 
standards. Sometimes used to under- 
stand an application where the docu- 
mentation is inadequate. J1 

Query language An easy to use facility 
incorporated into an operating or data- 
base management system enabling 
simple enquiries to be made, for 
example to retrieve particular types of 
record. C3, J1 

Random sampling Sampling from a 
population so that every item in that 
population has an equal chance of being 
chosen, for example random number 
sampling or interval sampling. M2, 
R2, S3 

Recording R5 

Re-performance test An audit test 
which functions by re-processing a 
transaction or re-performing a pro- 
cedure to compare the auditor’s result 
with that already achieved. HI 

Relationships B9 

Reporting B7 



Report program generator A software 
package controlled by parameters; out- 
put is a program capable of producing 
a report. C3 

Resident audit programs Also known 
as embedded audit routines or integra- 
ted audit monitors. Software which is 
incorporated into a production program 
in order to perform a function on behalf 
of the auditor. Most commonly used in 
on-line, real-time systems to interrogate 
transactions or to record details of cer- 
tain types of transactions in an audit 
file for later use. Enables the capture 
of transaction data during normal pro- 
cessing rather than interrogating the file 
later. C3, Jl, S5 

Risk analysis A formalised method of 
quantifying risk in terms of probability 
and consequential exposure. B4, C4, 
H2 

Scope B1 
Staffing B3 

Statistical sampling Methods of sam- 
pling whole populations so that measur- 
able conclusions may be drawn about 
all the items which make up those 
populations. M2, R2, S3 

Substantive testing Testing of trans- 
actions and other data to provide audit 
evidence on the completeness, accuracy 
and validity of data tested and on the 
extent or effect of weaknesses in internal 
control. C4, HI 

Systems evaluation The judgemental 
consideration of internal control 
strengths and weaknesses in relation to 
control objectives. R3, S3 

Systems weakness Inadequate or inef- 
fective internal control. R3 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 1/83 



D1 



Tracing A method of making visible 
the sequential execution of instructions 
in a computer program. Internal audi- 
tors may use this technique to confirm 
that programmed controls operate in 
correct sequence. C3, J1 

Training B3 

Test data generator A program or 
package designed to create test data 
according to specified parameters. 

The test data may be used as input to 
the program under test. 

Test data method An approach to test- 
ing a computer system by using test data 
and checking the results of processing. 
The data used may be produced by a 
test data generator or be prepared by 
the auditor. C3, J1 

Test pack Originally a pack of 
punched cards containing various types 
of transactions to test the adequacy of 
checks and the correctness of computer- 
ised processing. Such tests may be stored 
on a magnetic medium or be keyed 
directly through a terminal. C3, J1 



Value for money auditing An 
approach to internal auditing with 
emphasis on considerations of economy, 
efficiency and effectiveness. Bl, D3, 
W1 

Validation Testing a transaction or 
record to ascertain that it accords with 
prescribed rules, procedures or 
policies. HI 

Variable sampling Random sampling 
to estimate the mean and variability of 
a range of values within a 
population. M2, R2, S3 

Verification Checking a record with 
another or others, or physically with 
assets, to establish consistency. C3, 

HI 

Vouching Checking a transaction with 
supporting documentation. C3, HI 

Walk through testing A preliminary 
examination of a system to confirm the 
auditor’s understanding of the way it 
functions; sometimes called ‘cradle to 
grave testing’. S3 



GIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



m 



Bibliography 



A1 American Institute of Certified Public Accountants 

The Auditor’s Study and Evaluation of Internal Control in EDP Systems 
(1977) Systems based computer audit 

B1 Brink V Z and Witt H 

Modern Internal Auditing: an Operational Approach Ronald Press (U.S.) 4th 
Edition (1982) Internal auditing applied to various functions 

B2 Brink V Z 

The Internal Auditor’s Review of Organisational Control 
Institute of Internal Auditors (1972) Research Report No. IS 

B3 Buckley R 

Audit Committees: their Role in UK Companies 

Institute of Chartered Accountants in England and Wales (1979) Research 
and appreciation of audit committees 

B4 Berkshire County Council 

Risk Analysis Local Government Finance (1972/3 and 1982) 

Cl Canadian Institute of Chartered Accountants 
Computer Control Guidelines (1970) 

C2 Cadmus B 

Operational Auditing Handbook 

Institute of Internal Auditors (1964) Manual on practical auditing 

C3 Chambers A 

Computer Auditing 

Pitman (1981) Concepts and practice of computer auditing 

C4 Chambers A 

Internal Auditing 

Pitman (1981) Covers the subject in general. Recommended reading for The 
Institute of Internal Auditors’ Diploma in Internal Auditing. Sections include 
audit approaches, reporting and behavioural aspects 

C5 Comer M J 

Corporate Fraud 
McGraw Hill (1977) 

C6 Chartered Institute of Public Finance and Accountancy 

Audit of Systems Development Procedures (Occasional Papers, No. I) (1981) 

C7 Chartered Institute of Public Finance and Accountancy 

The Prevention of Unauthorised use of Computer Facilities (Occasional 
Papers, No. 2) (1981) 

GIAM 1/83 

Printed image digitised by the University of Southampton Library Digitisation Unit 



02 



C8 Central Computer and Telecommunications Agency 
Handbook (1980) 

D1 Douglas I J 

Audit and Control of Mini and Microcomputers 

National Computing Centre (1982) Describes the main features and audit 
implications for both internal and external auditors 

D2 Douglas I J 

Security and audit of data-base systems 

National Computing Centre (1980) Control aspects 

D3 Dewar D 

‘Value for Money’ 

Public Finance and Accountancy (March 1982) 

HI Hatherley D J 

The Audit Evidence Process 

Anderson Keenan Publishing Ltd (1980) External audit oriented but includes 
concepts and techniques relevant to internal auditing 

H2 Hertz D B and Thomas H 

Risk Analysis and its applications 
Wiley (1982) 

11 Institute of Internal Auditors 
Auditing Fast Response Systems (1974) 

12 Institute of Internal Auditors 
Compac Manual (1982) 

13 Institute of Internal Auditors 

Interrogation Software for Internal Audit (1980) An appreciation of commer- 
cially available packages 

14 Institute of Internal Auditors 

Standards for Professional Practice of Internal Auditing (1979) 1 1 A 
standards 

15 Institute of Internal Auditors 

An Evaluation of selected current Internal Audit terms (1975) Research 
Report No 19 on management audit, operational audit, financial audit and 
performance audit 

16 Institute of Internal Auditors (UK) 

An Internal Audit Programme for Energy Conservation (1977) Research 
Report No 2 

17 Institute of Internal Auditors (UK) 

EDP Report No 1 (1976) A definition of audit activities within EDP areas 

18 Institute of Internal Auditors (UK) 

EDP Occasional Paper No 1 (1976) Guidelines for the audit of data-base 



Printed image digitised by the University of Southampton Library Digitisation Unit 



GIAM 1/83 



D2 



J1 Jenkins B and Pinkney A 

An Audit Approach to Computers 

Institute of Chartered Accountants in England and Wales (2nd Revised Edition 
1978) General computer audit 

LI Lindberg R A and Cohn T 
Operations Auditing 

American Management Association (1973) 

L2 Lowe E A and Shahin I 

Internal Audit of the Budgeting Functions and the Propensity for Information 
Bias 

MCB Publications (1980), Included in A B Chamber’s Internal Auditing; 
Development and Horizons (1980) 

Ml Mair W C, Wood D R and Davis K W 

Computer Control and Audit 

Institute of Internal Auditors (1977) Computer control techniques and 
auditing 

M2 McRae T W 

Statistical Sampling for Audit and Control 

Wiley (1974) Recommended reading for the Institute of Internal Auditors’ 
Diploma in Internal Auditing 

M3 Mints F E 

Behavioural Patterns in Internal Audit Relationships 

Institute of Internal Auditors (1972) Research Report No 17 

M4 Matthews H W 

Factfinding interviews (Accountants Digest 90) 

Institute of Chartered Accountants in England and Wales (1980) Training 
aid used by the Civil Service College 

M5 Morgan G and Pattinson B 

The Role and Objectives of an Internal Audit, a Behavioural Approach 
CIPFA (1975) 

M6 Morgan Richard S 
Computer Contracts 
Oyez publications (1979) 

M7 Mauty R K 

Corporate Audit Committees: Policies and Practices 
(1977) 

M8 Millichamp A H 

Auditing 

D P Publications (2nd Edition 1981) External audit oriented on audit 
techniques but with internal audit relevance 

OIAM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



D2 



M9 Morgan G 

Internal Audit Role Conflict; A Pluralist View 

see L2 

PI Parker D B 

Crime by Computer 
Scribner (1978) 

P2 Pritchard J A 

Security in On-Line Systems 
National Computing Centre (1979) 

P3 Pritchard J A T 

Security in communications systems 

National Computing Centre (1979) Examines security in software and 
hardware 

R1 Russell H F 

Foozles and Frauds 

Institute of Internal Auditors (1977) 

R2 Roberts D M 

Statistical Auditing 

American Institute of Certified Public Accountants (1978) 

R3 Rutteman P J 

Flow charting for Auditors (Accountants Digest No 32) 

Institute of Chartered Accountants in England and Wales (1976) Description 
of a flow charting method with examples and illustrations. Used by the Civil 
Service College as a training aid 

51 Systems Auditability and Control Reports 

Executive Report: Control Practices Report: Audit Practices Report ( set of 3) 
Institute of Internal Auditors (1977) Research 

52 Sawyer L B 

Modern Internal Auditing — What’s It All About? 

Institute of Internal Auditors (1974) 

53 Sawyer L B 

The Practice of Modern Internal Auditing (1981 Expanded Edition) 

Institute of Internal Auditors (2nd Edition 1981) Standard work. 
Recommended reading for the Institute of Internal Auditors’ Diploma in 
Internal Auditing 

54 Shaw J C 

Internal Audit — An Essential of Good Management 

see L2 

55 Squires T 

Security in system design 

National Computing Centre (1981) Includes planning , development , docu- 
mentation and control 



Printed image digitised by the University of Southampton Library Digitisation Unit 



CHAM i/83 



02 



VI Vanasse R W 

Statistics! Sampling for Auditing and Accounting Decisions 
McGraw Hill (1976) A simulation 

W1 Walley B H 

Efficiency Auditing 
(1974) 

W2 Woolf E 

Auditing today 

Prentice-Hall (2nd Edition 1981) External audit oriented but with relevant 
internal auditing material 



C31AM 1/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



Selected Treasury Guidance Documents 
on Financial Management 



Published papers 

1. Government accounting: A Guide on Accounting and Financial Procedures for the Use 
of Government Departments, 1974, ISBN 0 11 630668 8. Four Supplements have been 
issued since 1974: 

No. 1, 1976— ISBN 0 11 630669 6; No. 2, 1977— ISBN 0 11 630670 X; 

No. 3, 1977— ISBN 0 11 630671 8; No. 4, 1982— ISBN 0 11 630462 6. 

2. Investment Appraisal in the Public Sector: A Technical Guide for Government Depart- 
ments, 1982, price £1, ISBN 0 9502890 6 X. 

3. Investment Appraisal in the Public Sector: A Management Guide for Government 
Departments, 1983, price £1, ISBN 0 9502890 8 6. 

4. Government Internal Audit Manual: HM Treasury 1983, Issued in three stages 
ISBN 0 11 630293 3 ISBN 0 11 630294 1; ISBN 0 II 630295 X 

5. Explanatory and Technical Notes in Part 5 of The Government’s Expenditure Plans 
1983-84 to 1985-86, Cmnd 8789-11, price £9.75. ISBN 0 10 187891 5. 

6. Guide to the Supply Estimates in Supply Estimates 1983-1984, Memorandum by the 
Chief Secretary, March 1983, ISBN 0 10 188170 3. 

Unpublished papers (not obtainable outside the public service) 

7. Financial Information System Operating Procedures Manual, 1982. (Revised pages issued 
when necessary). 

8. Fees and Charges — A Guide for Government Departments, 1983 

9. Treasury Ready reckoner for Staff and other Costs. (Revised annually) 

10. Staff inspection and grading guidance manuals 

11. Glossary of Accounting Terms 1977 

OIAM 12/83 



Printed image digitised by the University of Southampton Library Digitisation Unit 



